Q&A: A risk-based approach to banking security with Qualys

In the fast-paced world of financial services, where innovation is both a driver of growth and a source of vulnerability, the conversation around risk is becoming increasingly sophisticated. While external threats dominate headlines, a more nuanced and potentially damaging set of challenges lies within an organization’s own walls and technological foundations.

We spoke with Richard Seiersen, Chief Risk Technology Officer at Qualys, to deconstruct the modern risk landscape, from the complexities of human behavior to the financial realities of cybersecurity investment.

Seiersen, with a background as a Chief Risk Officer at Resilience and Chief Information Security Officer at institutions like GE Healthcare and LendingClub, argues for a fundamental shift in perspective. The goal is not just to build higher walls, but to create a resilient, risk-aware culture that translates technical issues into the universal language of business: money.

The Human Factor: Quantifying Insider Risk

Before delving into complex technologies like AI, it’s crucial to address the most unpredictable variable: people.

“An insider threat is essentially an employee or third party who can cause enterprise losses because of excess trust,” Seiersen explains. These losses aren’t abstract; they manifest as data breaches, wire fraud, or business disruption, often amplified by regulatory penalties.

From an insurance perspective, an environment of excessive trust is a “hazard”—a condition that increases the likelihood of a loss. While detecting malicious insiders is important, Seiersen advocates for a proactive approach. “Money is likely better spent on proactive measures and controls that reduce the most impactful hazards,” he states. This means moving towards a zero-trust architecture, which minimizes trust by default and grants access based on strict verification. By quantifying the potential financial impact of insider perils, institutions can prioritize their investments and focus on mitigating the most significant risks first.

AI: The Dual-Edged Sword of Risk and Reward

The integration of Artificial Intelligence represents a paradigm shift, bringing both unprecedented efficiency and an “exponential expansion in your risk surface.” Seiersen describes a new reality where systems are built declaratively through prompts, creating a “multi-dimensional digital layer cake” of services and data flows. This blurs traditional lines of development, theoretically allowing anyone with access to initiate powerful actions.

Securing this new frontier requires a new mindset. “Agents, both human and AI, must be constrained in principle and in practice,” says Seiersen. This brings Privileged Access Management (PAM) to the forefront. However, sheer complexity demands a modern solution. “You will invariably need to fight fire with fire. AI will be a necessary defensive measure for applying both deterministic and probabilistic control,” he notes. The scale of AI-driven creation necessitates an equally scalable and automated defence.

Speaking the Language of the Business: Pricing Cyber Risk

For too long, security has been siloed as a purely technical concern. To be effective, security leaders must bridge the gap between their world and the boardroom. “To overcome this, you have to speak the language of business around risk, and that equates to money,” Seiersen asserts.

He proposes a framework for pricing risk that would be familiar to any insurance underwriter, focusing on “perils” like data breaches, extortion, and business disruption. The potential loss from these perils often correlates with tangible business metrics. Breach costs are tied to the volume of records lost; disruption is a function of downtime. By putting financial values on these risks, security investments can be framed in terms of ROI—the cost of a control versus its expected reduction in financial loss.

This financial approach allows leaders to make informed decisions about which risks to protect against directly, which to transfer through insurance, and which to accept with a clear understanding of the potential cost.

From Reactive Firefighting to Proactive Resilience

A mature security program is proactive, not reactive. It aims to keep risk within acceptable, pre-defined tolerances by blending controls with intelligent risk transfer. This is the core function of what Seiersen calls the Risk Operations Center (ROC).

“The ROC is a practice and a platforming approach for keeping risk within tolerance,” he explains. “It does this by measuring operational risk or exposure relative to what the business stands to lose.” The objective is to “efficiently buy down the likelihood of loss” by applying controls dynamically and making smarter decisions about insurance coverage based on a clear view of the remaining residual risk.

This proactive stance moves the security team away from chasing the latest threat in the news and towards a sustainable, data-driven process. It’s not about convincing the board to care about a specific vulnerability; it’s about demonstrating that risk is being quantified and managed in a way that allows the business to focus on its primary goal: creating value.

• Read more under:
• Artificial Intelligence
• Blog Articles