Axio is a leader in SaaS-based risk management software, which empowers security leaders to build and optimize security programs and quantify risk for better investment prioritization and decision-making. Pulse 2.0 interviewed Axio co-founder and CEO Scott Kannry to learn more.
Scott Kannry’s Background
Kannry grew up in the insurance industry—in particular, cyber insurance. Kannry said:
“I started my career at Aon on a commercial brokerage team that was forming right at the birth of what the insurance industry now calls cyber insurance. Effectively, I sold coverage to commercial enterprises who were concerned about that type of exposure and potential loss. However, it was really anything other than transactional sales because, throughout my time there, I worked with very large enterprises. The transactions were very company-specific and involved designing customized policies that usually involved various insurers. Interestingly, in those early days, there were eight people on our team, and now Aon Cyber Solutions has hundreds of employees.”
Formation Of Axio
How did the idea for Axio come together? Kannry shared:
“Axio is a function of my background and that of my co-founder, David White. I sold cyber insurance policies or legal contracts that covered a loss if the policyholder had one. Dave, on the other hand, is the architect of various widely used risk and cybersecurity frameworks, which are considered technical playbooks for security leaders.
We effectively met in the middle of our disciplines. We discussed the challenge of the theoretical CFO who was allocating their final budget tranche and faced the daunting choice of spending it on a technical control like a firewall (Dave’s world) versus a cyber insurance policy (my world). We wondered: How does that person decide which is the wisest investment? That question prompted us to build a methodology centered on financial terms to help navigate that challenge. Now here we are, almost eight years later, and that initial lightbulb challenge is the center of everything that we’re doing at Axio.”
Favorite Memory
What has been Kannry’s favorite memory working for Axio so far? Kannry reflected:
“There are plenty! Obvious candidates include recently getting recognized by Forrester as a “Leader” in its inaugural Wave report for Cyber Risk Quantification, certainly securing investment funding from some incredible investment funds, and – of course – when we landed some large and global enterprises.
However, my favorite memories are the calls and emails we get from our CISO clients after presenting Axio reports to their senior management or Boards of Directors. They are the happiest they’ve ever been thanks to the glowing praise, more budget, and/or a permanent seat at that table they receive from leadership. Through it all, those experiences speak to the meaningful difference that we’ve always set out to make—and those sit at the top.”
Challenges Faced
What are some of the challenges Kannry faced in building the company, and has the current macroeconomic climate had any effect on the company? Kannry acknowledged:
“Building Axio has been the biggest learning curve of my life. There is truly no playbook for this type of journey, despite what business schools or VCs might say, especially for a company like ours that is truly trying to redefine a discipline and how companies manage cybersecurity.
That dynamic alone has, at times, made it challenging to get the message to resonate with investors or perfect a go-to-market approach. One of the biggest challenges is staying the course as far as evolving from a services company to a product company. There are so many obstacles to being able to do that, and it’s a journey we’re not yet done with despite passing the biggest tests along the way.
The macroeconomic climate has made new sales more challenging, thanks to “new” expenditures being put under a lot more scrutiny. Luckily, the value that Axio provides has become more clear than ever. The value of a defensible understanding of cybersecurity spending and the resulting risk reduction return is music to a CFO’s ears in the current climate.”
Core Products
What are Axio’s core products and features? Kannry explained:
“Axio focuses on key high-risk areas of an enterprise so that organizations can budget wisely, improve cyber resilience, and demonstrate duty of care. The Axio360 platform is a decision-making engine for holistic cyber risk management, including cybersecurity assessments, cyber risk quantification (CRQ), risk transfer, and cyber insurance analysis.
Axio’s industry-leading cybersecurity performance management software aligns security leaders, business leaders, and Boards of Directors around a single source of truth about their most critical corporate risks. Since 2016, Axio has been a trusted partner to many of the world’s leading companies in critical infrastructure, energy, manufacturing, and financial services, helping drive better visibility and decision-making about cybersecurity priorities and investments.”
Evolution Of Axio’s Technology
How has Axio’s technology evolved since launching? Kannry noted:
“At the beginning, we were a services company, so the initial evolution was to build Axio’s methodology and cyber risk assessment and quantification framework into a SaaS platform. From there, we’ve been making investments in data integrations and partnerships so that Axi0360 can be enhanced by a variety of objective and real-time data sources. Most recently, we’ve started to incorporate AI capabilities into our algorithms while also introducing a product line to serve the cyber insurance industry.”
Significant Milestones
What have been some of Axio’s most significant milestones? Kannry cited:
“There are quite a few that we’ve experienced over the past few years:
— Being named a “Cool Vendor” by Gartner in 2020
— Being named a “Leader” by Forrester in the Cyber Risk Quantification Wave in 2023
— Being accepted into the Lloyd’s Lab Innovation Program
— Surpassing 1,000 active subscribing companies on the software
— And, of course, securing meaningful partnerships and investments from our backers, such as Istari, who led Axio’s Series B round.”
Customer Success Stories
After asking Kannry about customer success stories, he replied:
“CISOs have the most difficult job at any organization. Any time we can help a CISO explain their program and risks of the business to the organization is a win for us. The best success stories relate to the security leaders who elevate themselves and their work at the Board of Directors level, thanks to the reporting and insights that we provide.
This at times, results in increased budget requests being granted more easily, or in the current climate, security and risk budgets being easily defended. More importantly, we’ve had more security leaders feel incredibly secure in their jobs, despite that being rare in the profession. There is more stability for a security leader who approaches the problem from a risk management standpoint if an event happens on their watch compared to someone who is focused on prevention at all costs. That’s a general example, but those are often the stories that resonate, given the extremely challenging nature of the profession.
One particular success story I like to cite is a healthcare client CISO, who received his full budget request the first time he presented to the board because of the use of our product and reporting. The CFO stated that he will continue to get “everything he wants” if he continues running his program like this. This is the Axio CISO success story.”
Funding
Upon asking Kannry about funding and revenue, he revealed:
“To date, we’ve raised $30 million, which we are really proud of in comparison to the amount of funding that our various competitors have raised. I’ve never been of the belief that early large funding rounds are themselves evidence of ultimate success. Rather, we’ve steadily generated revenue from the beginning, allowing us to organically fund a lot of growth and preserve a great amount of ownership for our employees who are working hard to make Axio something special.”
Total Addressable Market
What total addressable market (TAM) size is Axio pursuing? Kannry assessed:
“We believe that the market we’re serving is greater than just ‘Cyber Risk Quantification’, which is estimated in the single digit billions range. Rather, a market defined along the lines of Cybersecurity Performance Management, or Security Operations Management is one that stretches far wider and touches all enterprises of a certain size and complexity. McKinsey & Company estimates this market is around a $400 billion TAM. That’s really what our value and this discipline is all about.
Axio recently announced it was recognized as a Leader in The Forrester Wave: Cyber Risk Quantification, Q3 2023. What is the significance of this recognition for Axio as a company, and how will this impact how companies assess their risk? Kannry assessed:
“For one, the report itself validates the emergence of the Cyber Risk Quantification category as one that is becoming mainstream in the world of cybersecurity and cyber risk management. The market has taken a while to get here—certainly longer than Dave and I envisioned at the founding of the company. For Axio to be recognized as a Leader is incredibly rewarding. It validates the bet that Dave and I made regarding our methodology and the direction of the company. Even though we do things differently from some other vendors who have been around longer or raised more funding, our approach of impact-oriented CRQ vs. FAIR is just as strong. It is a great option for organizations, especially those who run control-based security programs.
Between the Forrester Report and the newly updated and approved SEC cybersecurity rules, there are more tailwinds behind the discipline than ever before, and I do not see that slowing down. These factors and others will further elevate CRQ as a key component of a cybersecurity strategy.”
Differentiation From The Competition
What differentiates Axio from its competition, including how Axio’s CRQ methodology is different/more impactful? Kannry affirmed:
“There are a few hallmarks of our approach that make it really stand out. One is transparency and defensibility of the inputs and calculations. It’s easy for a security leader to stand in front of a Board of Directors or Executive Committee and explain/defend Axio outputs. Many of our competitors are black box in nature and overly precise, which not only challenges the ability to defend the numbers but also sends debates down rabbit holes as to why an estimate of potential exposure goes out three decimal points.
Another great value driver is the ability to create actionable cyber event scenarios in hours or less. That’s critically important for a CISO who needs a quick response to questions from management along the lines of “What if the type of event I just saw on the news happened to us?” That CISO does not have weeks or months to answer the questions.
Lastly, our methodology is a great fit for companies that utilize a controls-based approach to their security program, which further elevates our differentiators.”
Future Company Goals
What are some of Axio’s future company goals? Kannry concluded:
“I’m a hockey fan, and I feel like we are barely halfway through the first period, or perhaps only through game one of the Stanley Cup finals. There are various major initiatives underway that really focus on the power of the data that CRQ and Assessments (both compliance and maturity) provide – PLANNING. CISOs desperately need help in filling the socio-technical gap in organizations, and Axio provides that. We want to be their greatest tool in protecting their organizations.
This also includes the continued build-out and acceleration of our enterprise platform, strategic global expansion, and greater collaboration with the insurance industry. We’re having a tremendous impact in helping underwriters better understand and create sustainable coverage solutions for complex cyber risks. Evidence of this impact is Axio’s selection into the Lloyds Lab Innovation program. There’s a lot more to come soon on that front.”
