Transcript
Pankaj Goyal is my guest. He's from Safe Security. He's the chief operating officer, and we're going to talk about some cyber insurance and a few other things that some CISOs are absolutely kind of immersed in today. So good to meet you. Good to meet you, Mike, and thank you for inviting me over here. Of course. So tell me a little bit about your role, your kind of day-to-day, and a little bit about what Safe Security does. Sure. So I'm the chief operating officer at Safe Security. Think of Safe Security as a platform which allows or which helps the CISOs to make intelligent decisions, and those decisions might be around the IT environment, around the OT environment, might be coming from third-party risk, or any other areas of risk. So the simplest analogy I give is if you're flying a plane, I don't know if you have tried this or it's on your list, if you're flying a plane, then the pilot sees like all the dashboard, his cockpit basically, and what the cockpit shows is all the data and the telemetry that the pilot is receiving from inside the plane. He must be getting external weather-based telemetry or guidance from the airport and so on, right? And based on that, the pilot is able to make decisions like the flight speed, the elevation, and so on. We are trying to do the same for the CISOs. So think of it as safe as the single cockpit or a single decision-making platform for the CISOs where we collect telemetry from the IT environment, from the OT environment, and that's where we're very excited about our partnership with Clarity, and the third-party risk also, to help the CISOs make the right decisions. And most importantly, we are not stopping there. We are also going to the next level, which is being in San Francisco, you must have seen all the Waymo cars, like self-driving cars. Why don't we just not make the flying of the plane not just intelligent, but also autonomous? So that's where we are here to talk about autonomous risk management on the third-party side where, through agentic AI, we can automate the entire process end-to-end for the CISOs to drive this autonomously. That's going to make people nervous. So data is power. Power or data does, when data creates visibility, visibility does create anxiety, and sometimes nervousness, but I always give the example that it's better that you know the weakness or you know the gaps rather than the attacker knowing that first. So yes, I think the whole game is to make it visible, transparent, and being able to take actions. So tell me how the cybersecurity insurance providers, the brokers, etc., how are they involved with your platform and kind of how does that translate to the CISO as well, obviously? Sure. So if you look at the landscape of insurance, cyber insurance, or any insurance actually, the key insurance is a data problem. So if you look at insuring a home, what the underwriters or the cyber insurance carriers, what they need is a history of what has happened in that particular zip code, what has been the construction cost, what has been the historical losses, and based on that, they can project the future and they can make intelligent decisions about your premiums, your coverages, and so on. Now, cyber insurance compared to other principles or lines of insurance is relatively new. So the data is limited and it is frustrating. It has been frustrating over the last four to five years where the insurance industry has basically, in many ways, it is driving blind, like they want more data. And that's where SAFe comes into play, where we have been able to stitch together the different ecosystem components from the brokers to the carriers to the customers around making more data available, more data visible, and providing that level of transparency in the process of underwriting. So a simple example is we have partnerships with like four of the largest brokers in the U.S. and internationally. These brokers are now able to go to their customers and say that, look, as a trusted advisor, I want the customer to know the gaps and know the risk and be able to actually become more secure before the insurance cycle or the discussion kicks in. We call it like the insurability angle, right? So we have partners like Marsh, for example, they go to their customers and they are able to get more visibility into their risk and they are actually able to take actions before the insurability kicks in, before the insurance discussion kicks in. And that's a win-win for both the customer as well as the broker because the broker wins as a trusted advisor and that's their role essentially, right? Now, on the other hand, from a carrier perspective, like we have Mosaic Insurance, Chubb and others who are also working with us where the underwriters can get access to more data and they can make intelligent discussions, intelligent decisions. And the key is in the insurance world is not just to identify bad risks, the key is also to identify good risks because that's where you can drive better decisions. If you have more data about the environment, about the inside, we call it the inside-out underwriting, which is trying to understand on a real-time telemetry basis, what are the gaps in your OT environment, what are the gaps in your IT environment, what are the gaps in your third-party environment? And based on that, the underwriters can make more intelligent and better decisions in terms of coverages, in terms of premiums, benefits of which ultimately flows back to the customer. So it's a win-win for everyone. And that's where, say, we have been investing and we have been building this ecosystem over the last almost four years now. Yeah. So you mentioned good risk, bad risk. Take me inside of that. How do you differentiate the two, maybe examples? So I'll go back to the home insurance analogy. Think about providing an insurance code for your home by just clicking the picture from outside or just looking at your location. Now, it can give you some information, but very, very limited information. And that's what has been happening in the insurance industry so far, for a large part of the market, where outside-in ratings or outside-in scans have been used as a proxy. They are full of incorrect, irrelevant, and insufficient information. And so I think that's where, now, the second scenario is that the same home insurers is able to make decisions based on actual controls that you might have put into your house. Like, for example, you might have a working smoke alarm, a working fire alarm at the house. You're maintaining your house in the proper way. Your foundations are strong, and so on, versus your neighbor, who is not taking care and not making those investments. So you should get the benefit of that. You can only prove that when the underwriter or your broker sees those controls being put inside your home, not from the outside picture. And I think that's where we come into play, that through our analysis of the internal IT and OT environment, the carrier and the broker can make more intelligent decisions and ultimately provide you, as a homeowner who has invested in your security controls, better premium, better coverage. I'm curious of what you're hearing around OT environments, big factories, manufacturing companies, etc. What kinds of questions are there? Are you hearing more about insurance questions from those environments today than two years ago, five years ago, whatever? Absolutely. The OT environment is... There are a couple of things happening. First is the OT environment is expanding. And not just what I own as a healthcare provider or as a manufacturing company. So it's not just my OT environment, but also I'm engaging with many third parties. Like, for example, I was talking to a hospital provider. Many of their instruments, like the healthcare measurement instruments in the hospitals, they are relying on their suppliers, their third parties, and they are part of their supply chain in many ways. So the OT attack surface has been increasing. The second is that OT fundamentally has been a fragmented ecosystem. And as a result, compared to the level of investments that have gone into IT environment, OT is still lagging behind. And then third is that if you just look at the extent of damage, the easiest way I understand this is that OT is much closer to the human life compared to IT. IT is closer to the digital life, the data, but OT can cause, and we have unfortunately seen many examples where OT can cause bodily injuries in a couple of cases, even human deaths, system failure, and so on. So the level of impact is much more physical, much more close to our hearts, and it creates a lot of noise, especially for mission-critical systems. So as a result, from an attacker perspective, especially if your motivation is not financial, it is beyond financial motivation, then OT systems will be on your radar. And I think that's what we are seeing, and as a result, insurance companies are also trying to understand the OT environment better, because from their coverage perspective, from the risk perspective, OT might be equal or even actually contributing more to the risk that the insurance companies are underwriting. I mean, just like, I think yesterday there was an example of a power outage in parts of Europe. Now, the cause is still unknown, but that's kind of a system failure that happened due to unknown causes so far. But you can imagine in a country or in a company, the same level of system failure can happen because of OT environments being exploited. And those things have happened, which have been, unfortunately, very devastating cyber attacks. So I think from an insurance company, absolutely, from an insurance perspective, OT is becoming a key issue for specific verticals, and we are seeing insurance companies trying to understand that more. Yeah, I mean, the distinction is huge, because with traditional IT security, you're talking about confidentiality, you're talking about the integrity of the data, and one of the core things about OT is safety, in addition to availability of systems, et cetera. So to your point, it's huge. Yeah, and with the world evolving and the OT environment also evolving, think about all the AI that we are putting into the system and more automation, more robotic automation coming into play now, this risk is bound to increase further. Not to say that we should take it negatively, that innovation should continue and that should not stop, but I think overall, that's where Safe and Clarity have been partnering on how to provide that visibility to the companies themselves first, so that they can act or invest in the OT at the same level, at the same priority, like what they do internally for their IT systems. So you brought up the overall fragmentation of OT, and there's a lot of complexity, there's a lot of proprietary technologies, you're either a Siemens shop or a Rockwell shop or whatever it is. Explain those challenges, and then from not just a security perspective, but just pulling data from there that's useful. I think similar kind of challenges always existed on the IT side also, if you think about it, Mike, that the IT stack is no simpler. And I think OT stack is complex and proprietary, but that's where I think Clarity comes into play where when we integrate into the Clarity system, we are able to understand the vulnerabilities, the misconfigurations from the OT environment, and Clarity has done a tremendous job in sort of creating that layer and creating that visibility for the entire landscape, which we are very excited about, because it gives us a single point of contact or single point of integration. And now the CISO or the CIO can actually look at, okay, it's not IT versus OT, it becomes IT and OT together, because attacks are not happening in IT and OT in a separate way or let's say in an isolated way. Attackers might access or gain access through your OT systems and can move into IT systems or vice versa. And I think that's where putting the story together across IT and OT is what the customers are excited about. Are there gaps that are happening because of this complexity security gaps? I think gaps are, especially the boundary between the IT and OT, how attackers move, that is still being understood. I would say that even when we look at combining the two ecosystems together and added with the complexity of the third party ecosystem together, there are always gaps that individual security teams or IT teams, they miss through. And I think that's where platforms like Clarity combined with SAFe can actually solve that and provide that level of uniform transparency across the system. From an insurance perspective, you mentioned earlier too, the supply chain, the third party, everybody wants access, everybody needs access, whether you're a vendor or a supplier. There are significant exposures there as well from an insurance perspective. How good are they at dealing with that and understanding those relationships? The insurance companies are learning the OT landscape, I would say. I think last week there was a discussion with Clarity, some of the customers and partners that many insurance companies have started this OT supplemental questionnaire. So they will give, in addition to their tens of questionnaire, there's another OT supplemental which is coming up, which is a good first step, but I think that's where, again, it lacks a couple of things. One is that it needs to be improved overall as a questionnaire, and I think that's where we together can help them. But secondly, again, a point in time, manually driven answers will only go so far. What we need is real-time understanding of the gaps which are happening because the attackers are not scheduling your attacks once a year, right? They're always on, and some of these recon or some of these attacks can span through months before they actually materialize. So I think the real-time version, the real-time element of getting this telemetry and intelligence is where Clarity is superb at, and I think we can help the insurance ecosystem there. Is that whole questionnaire model becoming kind of outdated? I know they're really extensive. I've had someone from Marsh on my podcast probably about a year ago, and I forget what he said, like 250, 300 questions, and so many people on the teams are involved in kind of going through the environment, checking off checkboxes, whatever is involved, but it's a point in time kind of examination, right? Is that kind of what you guys are trying to get around? I think some of those questionnaires, especially around governance, policies, compliances, are still relevant. What I think about this is, how can we free up time from that manual labor, as you said, multiple people working to figure out the answers, and maybe at the end of the day just guessing the answer? How can we actually automate that using AI so that we can free up time to do the more intelligent stuff, which is around real-time telemetry and actually figuring out the gaps and fixing those gaps? And our philosophy with the insurance companies also has been that the questionnaires have to be simplified, the questionnaires have to be automated, and you need minimum... The AI has to be in the lead, and the human has to be in the loop, versus the actual actioning based on real-time validation, real-time telemetry from the environment, that's where we should focus 90% of our efforts on, and the benefit of that is going to everyone in the ecosystem. So I think that's where our partnerships, our partners, are trying to move the needle. Like, okay, questionnaires, we need to simplify, we need to automate, so that we can actually spend time on the actual stuff. I'm curious, the supplemental OT questionnaires that you've seen, I assume, how would you assess the quality of those? Are they asking the right questions? What kinds of questions are they looking at? To be fair, they're making an attempt to understand the OT market. I think that's where clarity can actually help, because you guys understand the OT landscape much better than any of them, and I think the conversations are getting started, where how do we help the insurance companies? One thing I've seen that insurance underwriters and brokers, they're very open to learning about cyber, and their learning curve is very, very fast. So I think that we can definitely help them there. What kind of OT data is helping underwriters, et cetera, make better decisions? It's informed what they do. Not very different from the IT, like simple, an understanding of the vulnerabilities present, which can be exploited. So clarity is great at figuring out the vulnerabilities, and that's where when we ingest that data, as safe, we ingest that data from clarity, it gives us an instant view of the vulnerabilities and how those vulnerabilities can be exploited to execute a particular risk scenario on an attack. So that is a very simple, but a very powerful example of how OT systems can be monitored and how they can be patched or improved upon on a daily basis. Similarly, like configuration gaps, any kind of resilience gaps, they should be figured out and we should get a view of that. And do underwriters, do the carriers have any expectations about some of the protections that should be in place, and what are some of those? Yeah, I think the impact on OT systems are more physical impacts, as obviously, and as a result, when you look at insurance policies, there's a constant discussion around how much coverage should be provided around, let's say, bodily injuries or system failures or business interruption because of that, and so on. So I think those are, let's say, sub-coverages or clauses, which are always present in the insurance policies, and as the ecosystem evolves, and especially for verticals like hospitals, like utility systems, like energy manufacturing companies, insurance companies are always constantly re-looking at their coverages and making sure that, first, they don't have any gaps and they are not providing higher or unknown coverages, and at the same time, there is a full transparency between them and the customer of what is covered and what is not covered. And I'm sure a lot of companies use compensating controls in their environments as a mitigation or a stopgap. How does that fit into risk discussions? And I think the insurance companies definitely try to understand that, especially if you look at it from a pure resilience discussion perspective, right? A lot of the resilience discussion so far has been around data or IT-based resilience, but I would say that resilience might be actually more complex on the OT side because how do we expect a set of doctors and nurses to go back to their physical systems or go back to their backup systems in case one of their operating devices is attacked or doesn't work? And that needs a lot of training and that needs a lot of redesigning of the processes and so on. I've seen hospitals doing a good job of figuring out those risk scenarios and creating a business continuity plan or a resilience plan, but definitely a lot more thinking needs to go through the OT resilience and make it stronger. And I think insurance companies would love to understand that. They are trying to even understand how do you actually come back or what is your response, how does your backup system work, what will be the cost of backup, how fast can you recover, and so on. So they are trying to understand that, definitely. Do you anticipate insurance requirements kind of imposing themselves in OT? What I mean is like right now, engineers or asset operators are very hesitant to patch, for example. They don't want to take down systems. It's working, don't touch it kind of thing, but do you anticipate insurance kind of changing that discussion at all? We have to do it because coverage says so. We have seen some of those, I would say, insurance-driven actions happening on the IT side, definitely. I think one of my insurance friends gave me an example that like 30, 40 years ago, a lot of the automotive or vehicle safety was driven by insurance companies. And I think insurance companies have done a good job in driving those kind of almost like a basic minimum standards for ransomware or for data exfiltration. And overall, I see that that level of discipline or basic minimum hygiene standards can be enforced or insurance can be a good enforcer in that way. So it will be a positive moment for the industry. And I think, yeah, I'm sure that insurance companies are already playing a role in that. Do you see ever companies having a misconception or even making a mistake about insurance and using insurance as a control, for example? It seems like a bad idea, but... Insurance is always, I would say, it is a resilience control. Because if you think about the risk cycle, you have risk understanding, then you have risk mitigation, and then the final step is always risk transfer and then risk acceptance. So risk transfer will always be... That's why you and I, we always buy car insurance, you always buy home insurance, because in our personal life, there is a risk transfer we are doing. I think companies will continue to do that. And insurance should be considered as an important financial resilience control, for sure. But not an operational control. Not an operational control, for sure. Because ultimately, specifically for OT, the damages on the reputation side, the non-quantitative damages can be more impactful than the financial damages, which can be potentially covered by insurance. So insurance companies are never going to cover your reputational damage, for example. So I think the companies, they're not relying or they're not using insurance as an excuse not to invest in their environment. What's your baseline advice for a CISO around insurance and so forth? I'm sure you have a lot of conversations like that. I think the baseline, what I tell the CISOs in my conversations is that first, it is important to understand how much risk you are sitting on before you go into the insurance discussion. And again, I love the energy from our day-to-day lives, like when you are applying for an auto insurance on any website, you fill out which car do you have, which model do you have, what is the insurance, which zip code are you on, what's your commute behavior, and so on. So at the back end, the insurance companies, they are trying to understand your risk exposure. I think CISOs should do that first. What is their actual risk exposure based on the control? Now once they understand the risk exposure, they have the same choices. You can invest to mitigate the risk and bring it down. You can invest to transfer the risk through insurance. And it's the same dollar which is going. So that trade-off analysis needs to be done from a CISO perspective that they might be better off investing $1 into actually mitigating and improving the controls rather than transferring the risk. But then there is always residual risk left even after investments. And that's where the insurance discussion happens. And then the insurance discussion is fundamentally a discussion around how much coverage do you actually need, what type of coverages you need, versus the cost of the coverage. But understanding getting visibility into the risk, which still I think is a gap for many organizations and many CISOs, is absolutely the first step. I would imagine there are a lot of eye-openers there when they get in some kind of picture. Yes. And it's good to get those eye-openers in internal discussions rather than when an actual event happens. And how does the evolving threats, how does that change the equation? This is pretty fluid. It's not like auto insurance where you understand what a car accident is and the impact of them. This is different. And that has been a challenge for the insurance industry because any other line of insurance, the cycles are longer, the data is well understood, there's a long history. But most importantly, history is a good predictor of the future. In cyber, almost none of this is true. So there's not a lot of history, there's not a lot of common data, and the history of the past may not be a good indicator of the future. So to the credit of the insurance industry, they have been actually very adapting in their cycle, in their underwriting process, they have been trying to learn and move fast, as fast as they can. I think the future is not going to change. In fact, I would say that the variability or the dynamism on the OT environment is going to increase even more going forward. And that's why I think I come back to the power of clarity platform and combining with the safe platform because both these platforms together can bring you that real-time visibility on a daily basis and map it to what threat actors are doing. And you would be able to assess, as a CISO or a CIO, you would be able to assess that risk on a daily basis, and most importantly, take actions based on that. All right, so last question. If we have this conversation, say, in two years from now, especially how it relates to OT, how is this going to be a different conversation? What do you expect? I expect that there will be a lot more transparency around the risk on the OT side. I expect that there will be a lot of actioning by then taken by the CIO and by the CISO teams on the OT side. And finally, I expect that, or let's say I'm not expecting, but I'm hoping that this demarcation between IT and OT goes away and we think of technology end-to-end through automation, through AI, through data, et cetera, we just think of technology as a continuous spectrum rather than trying to create these physical-slash-digital boundaries. Right. All right, excellent. Great to meet you. Thanks for coming on the show. Thank you, Mike, for having me here.
