Markus's journey reflects a multifaceted career progression with a strong foundation in hands-on IT work and building an information security and compliance program, where his cumulative knowledge provides a comprehensive approach to data-driven cyber risk management.
C-Risk: Can you tell us about your Cyber Risk Quantification journey and how you first encountered the FAIR methodology?
Markus Kaufmann: When I joined Funko as CISO, I was introduced to the FAIR methodology to run quantitative risk assessments through Tom Callaghan, who was serving as the VCISO at the time.
Coming from a background where we primarily used qualitative risk assessment methodologies, which I had helped build out at Wells Fargo, seeing risk and data quantified in this way was incredibly refreshing.
And over the years, you know, it got frustrating with because there's only so much you can do with qualitative assessments, and seeing what C-Risk done for Funko was like a breath of fresh air. It allowed me to speak the language of the business. Instead of relying on the old legacy "traffic light" model of red, yellow, green, high, medium, and low risks - where almost everything invariably ended up as medium risk - FAIR provided real, quantifiable data.
This not only empowered me to have better discussions with the board but also helped me quickly understand Funko's specific security challenges as I was chartered to build their information security program from the ground up.
How did you approach building Funko's information security program from the ground up? What were some of the key steps you took?
Markus: When I joined Funko, my first task was to figure out what security measures they had in place and identify the most critical gaps. The FAIR assessments we had done earlier were incredibly helpful in this process. I also conducted my own assessment using the CIS top controls and the ISO framework, mapping the results against the NIST CSF maturity model.
And over the next couple of years, I built out the security program and the compliance program, taking charge of the SOX 404 IT General Controls.
We implemented numerous security controls and tightened up processes to meet SOX requirements. I built a team that grew to include three full-time employees and three contractors, in addition to the work C-Risk did for us on compliance and risk assessment.
Through these efforts, we were able to move Funko's security maturity from 1.8 to 3.3 in just under two years, which I consider quite impressive given our small team size.
How did you approach budgeting and planning for this security program development?
Markus: When I came in, there wasn't a dedicated security budget - it was all rolled up into the IT infrastructure budget as one lump sum. So, I had to start from scratch in terms of budgeting and planning.
I did a lot of work breaking down the security-specific costs and forecasting future needs. My approach was to create a strategic roadmap. First, I created a one-year roadmap based on the initial gap analysis. Then, I developed three-year strategic roadmap.
This approach allowed me to propose and justify the necessary budget to the board and stakeholders. It was crucial to clearly communicate our security needs, the associated costs, and the expected improvements in our security posture over time.
You mentioned the importance of collaboration in information security. Can you elaborate on your approach?
Markus: Absolutely. For me, the key to success in information security is collaboration across everything, not just within IT. I believe too many information security programs make the mistake of putting on blinders and only looking at technology, forgetting about people and processes.
In my view, all three elements - technology, people, and processes - are equally important. The stronger the relationships and the better you can collaborate with your business partners, the more successful your information security program is going to be.
This collaborative approach allowed us to get a more comprehensive view of our risk landscape and ensure that our security measures were aligned with the needs and realities of the entire business.
One notable improvement was a really insightful conversation with the legal department. This helped us understand secondary risk drivers, such as the potential costs of class action lawsuits to the company.
How did the FAIR assessments help with analyzing cyber risk insurance coverage at Funko?
Markus: The FAIR assessments were very helpful in evaluating our cyber risk insurance coverage. We looked at each risk scenario we had developed and compared it against our cyber risk insurance policy to see if and to what degree each scenario was covered.
This analysis allowed us to identify areas where we had good coverage and also revealed one or two items that weren't covered. This information drove discussions about potentially modifying our insurance coverage.
One of the biggest benefits of using FAIR for insurance analysis is that it gives you a clear idea of your potential financial impact if there's a compromise. This allows you to make more informed decisions about your insurance coverage. Ideally, you want to ensure you're covered for worst-case scenarios to optimize your premium costs.
How do you view the importance of quantitative risk analysis in communicating with senior management and the board?
Markus: When presenting to the board, it's important to show numbers that make sense from a business perspective. Simply saying we have "10% high risk and 60% medium risk" isn't meaningful, and they'll quickly tune out. Instead, you want to communicate in terms of dollars at risk and the likelihood of adverse events.
I typically present data first, using visuals like charts or graphs to support and focus attention on particular areas. At Funko, I created a wheel split into quadrants, each representing a different risk scenario. The key is always to lead with data, using colors or visuals to help focus on certain areas you want to emphasize.
Data-Driven Guidance and Support for Your Cyber Risk Needs with C-Risk
Collaborate with our FAIR-certified Cyber Risk Quantification experts to address your infosec budget challenges, regulatory compliance requirements, or implement a tool.
C-Risk: Can you explain your concept of "return on risk" and how it differs from traditional ROI?
Markus: Return on risk is a concept I use that I believe is more applicable to information security investments than traditional return on investment (ROI). In my opinion, in a lot of information security programs, [risk professionals] mistakenly try to focus on return on investment. And that can be really difficult to establish for security controls. Most security controls aren’t going to drive sales in either direction, but they support things behind the scenes.
Instead, return on risk looks at how a security investment reduces potential losses. For example, if we've identified through a risk scenario that a website compromise could potentially cost us $5 million, and we're considering investing $500,000 in a web application firewall that would reduce that risk by $500,000 annually, we can clearly see the value of that investment from a risk perspective.
It's important to consider the annualized loss exposure (ALE) rather than just looking at the total potential loss. This allows you to compare the yearly cost of a control against the yearly reduction in risk. If a $100,000 annual investment reduces your annualized risk from $400,000 to $200,000, that's a clear return on risk.
This approach helps avoid investing in expensive "cool" security controls that might not significantly impact your overall risk posture. Unless it's a foundational control like multi-factor authentication that impacts multiple risk scenarios, if you can't demonstrate a good return on risk, it probably doesn't make sense to invest in that particular control.
As we wrap up, how has your diverse background in accounting, development, and IT infrastructure influenced your approach to information security?
Markus: My diverse background has been invaluable in shaping my approach to information security. Having worked in various roles, including accounting, development, and IT infrastructure, I've gained a broad perspective that helps me understand the impact of security decisions across different areas of an organization.
C-Risk: Thank you, Markus.
If you are navigating infosec budget constraints, regulatory compliance, or trying to subscribe to the most cost-efficient cyber insurance, we’re here to help. Our advisory services provide tailored solutions to support the needs of your team. Leverage our risk-based CRQ approach to drive informed decisions and strengthen your risk management capabilities.
Learn more about how our CRQ advisory services can support your organization.
We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.