New York-based cyber readiness and risk management firm Axio has raised $23 million in a Series B funding round led by ISTARI, with participation from existing investors NFP Ventures and IA Capital Group. The funds will be used to enhance the company’s Axio360 platform and drive international expansion.
Axio believes the threat is not the risk – the risk is the business impact of the threat. For most firms, the greater part of cybersecurity effort and budget is targeted at mitigating threats rather than managing risk. While mitigating threats is important, it alone is not true risk management; and is repeatedly demonstrated to be insufficient.
True risk management can only come from an accurate quantification of the business impact caused by different threats. As a simple example, a DDoS attack is a threat, but the risk is the business impact; that is, the cost and effect of downtime caused by the DDoS attack.
Axio360 is a SaaS platform that enumerates business impact costs caused by different threat events, tailored to each different customer, and delivered in a manner immediately understood by the business leadership. If the CEO asks the CISO how a particular threat might impact the business, a common response is that ‘we’ve checked most of the boxes and our heat maps are nine green, five yellow, and only three red’. That wasn’t the question asked.
The right answer would be ‘this facility would be affected; it would be down for five days and would cost the business $n million’. By comparing the different impacts from different threats, the business can truly gauge where more effort is needed – either by increasing security budget or introducing new business processes to alleviate the real risk.
Axio CEO Scott Kannry gave SecurityWeek a hypothetical example. “If this event happens to us, it’s going to cost us $15 million, or $25 million, or it’s going to cost us $500 million. But we provide more detail. Of the $500 million, $400 million is lost revenue due to system downtime and the remainder is due to forensics and legal costs and so forth.”
With such information, true risk management becomes simpler. Faced with the risk of a $400 million downtime cost, investment in better system recoverability and redundancy could reduce the potential impact from $400 million to perhaps $40 million. Risk management is not always best served by simply buying more security products.
Kannry uses the Colonial Pipeline attack as an illustration. Assuming the cause of the shutdown was the loss of its invoicing system, it’s a fair guess the company hadn’t realized the associated risk. Kannry’s argument is that if the company had been able to model the business impact of such an event, it would more likely have seen the need to increase redundancy and pipeline flow monitoring.
In this instance, the preventive solution would have been improved processes rather than increased cybersecurity – and the Axio360 platform is designed to deliver the information necessary to measure the risk and implement solutions.
Part of the new funding will be used to build threat intel feeds into the platform. It already understands the likely impact of different events, but will now be able to relate the impact cost to what’s happening in the cyber environment. As a result, the Axio360 platform will improve its ‘susceptibility’ measure for customers. It will be able to detail the business impact from a specific event but will also indicate the likelihood or probability of that event occurring.
All of this is delivered by the platform in a continuous manner, allowing the customer to monitor the effect of its risk reduction activities. “The attack landscape has demonstrated that old, faith-based strategies that simply layer on controls without a clear understanding of what to prioritize have done little to reduce susceptibility,” he added.
Bob Dudley, Axio board chairman and former CEO at BP, summarized, “Boards require deeper and continuous visibility into the state of organizational cyber readiness to ensure that investments and initiatives are properly aligned to broader risk reduction efforts.” The board is on the hook when a breach happens, but too often, oversight of corporate cyber risk gets lost in the technical details. Axio helps security and business leaders speak a common language centered on the financial impact of risk.
The firm was founded in 2016 by David White, currently president of Axio. It raised $4.5 million in a Series A funding round closed in 2018. The Series B round brings the total raised to around $30 million.