The Center for Data Innovation spoke with Jose Seara, founder and CEO of DeNexus, a Boston-based company that provides a data analytics platform for large enterprises to design and implement cyber risk management. Seara discussed how DeNexus’ data analytics platform simulates cyber attacks to help companies in critical sectors prepare contingency scenarios and how AI can streamline and improve how companies manage their cyber risk management.
Martin Makaryan: How does DeNexus help enterprises improve their cyber risk management?
Jose Seara: We help large enterprises in the manufacturing, transportation, electricity, and utilities industries improve their cyber risk management by using data to identify and estimate the risks of cyber attacks and vulnerabilities in their operational technology (OT). OT refers to software and hardware that enterprises use to control industrial equipment in industries like manufacturing and energy. In these industries, cyber risk may be a low probability, but the impact is high. In other words, most of the time, nothing happens, but when it does, the disruption can be massive. Think of a cyber attack compromising an entire country’s electrical grid or disrupting a critical manufacturing process. We help our customers understand the frequency of these events and the financial damages they may incur if an attack happens. We also allow them to simulate risk mitigation projects on our platform, which allows them to make more efficient decisions on how and what kind of financial and human resources to invest in their cybersecurity strategy. These simulations help them decide which projects to prioritize and where to allocate their resources instead of running a trial-and-error method and potentially wasting millions of dollars. If the financial rationale for deploying more cybersecurity projects doesn’t make sense, we help them identify the need for cyber insurance products and guide them through procuring the right coverage.
Makaryan: What inspired you to found DeNexus?
Seara: Prior to founding DeNexus, I was building companies that provide critical infrastructure, primarily in the energy field. In 2006, one of those energy projects brought me from Spain to San Francisco and over the following decade, I built a renewable energy company with operations in the United States and Canada. During that time, I realized that OT devices and processes were vulnerable to significant cyber risks in a very different way than traditional IT devices. The tools and solutions available to manage that risk were suboptimal in my view and I decided to turn this problem into a business opportunity and try to solve industrial cybersecurity risk management through a data-driven approach.
Makaryan: What technology powers DeNexus’ cyber risk management service?
Seara: Cyber risk is a highly dynamic and complex risk, so capturing that dynamism to offer valuable insights requires using a lot of data. We built our technology on a complex data analytics platform called DeRISK where we process external data on cyber threats from public and private databases, as well as internal data from our customers’ facilities and networks. We combine all of this data and run sophisticated simulations using customized risk models that we have built. These models allow us to identify the most likely attack paths—for example, how an attacker could penetrate a protected network and progress through to cause disruption. We use this data to estimate the associated financial loss in potentially successful attacks. We update this data and rerun the assessments for our customers every week, as there can be thousands of new vulnerabilities in a customer’s OT system that they discover in a given week. Rerunning the assessments allows us to provide them with the most up-to-date view of their cyber risk posture.
Makaryan: How do you use AI in the company?
Seara: We use AI in a few key areas. First, we have trained machine learning models to automatically map new cyber vulnerabilities, which we quickly incorporate into our weekly risk assessments for customers. Second, we are using AI tools to streamline corporate-level tasks within DeNexus, such as supporting our marketing efforts, developing new documents, and reading the market to inform our go-to-market strategy. These tools are important for a data-driven company like ours to ensure that we remain proactive and allocate our resources more efficiently where they are most useful—improving our assessments and providing the most accurate and up-to-date insights to our clients. Looking ahead, I believe future advances in AI will have a significant impact on our product. As we continue to grow our data sets, the ability to train more sophisticated models will be crucial for staying ahead of the curve in the cybersecurity landscape.
Makaryan: What challenges have you encountered in working with customer data?
Seara: The biggest challenge is surprisingly not technical—technology can and does solve many issues, such as collecting and processing massive amounts of data. The real challenge is on the business and compliance side. Our customers share highly sensitive data from their critical infrastructure facilities with us. This data could potentially be used to compromise those facilities if it fell into the wrong hands. Earning the trust of our customers to be good custodians of this data is crucial. For us, it’s a constant process of proving to new and existing customers that we are a trustworthy partner who will not become part of the problem, but rather a key part in solving their cybersecurity problems.