Posted
The Advanced Persistent Talent series profiles ThreatConnect employees and explores how their work impacts products and offerings, how they got here, and their views on the industry at large. Want to know more about a particular team? Let us know!
When you work in risk quantification, you face two main challenges: helping clients understand the value of what you do, and then helping them implement it. But after working in risk quantification since 2016, with another 10 years of experience in risk management, ThreatConnect’s Senior Solution Architect Tim Wynkoop has become an expert at both.
Risk quantification can provide actionable data that enables decision-makers to prioritize better and act faster, but only with the right strategy. According to Wynkoop, the key is to know what you need to measure and what you don’t. Without that discernment, he says, “You’re trying to boil the ocean.”
Outside of work, Wynkoop enjoys traveling and putting his strategic mind to use while playing board games. Surprisingly, his favorite is not Risk. Read on to learn how he protects clients even while working from halfway around the world.
The following conversation has been edited for clarity and length.
How did you get into threat intelligence and risk quantification?
Tim Wynkoop: I’ve been in risk management since about 2006 and worked in a variety of different roles, mostly in the banking world and the financial sector. I’ve held operational risk roles, as well as business continuity and disaster recovery positions. In 2016, I transitioned into risk quantification, leveraging the FAIR model at a predecessor to ThreatConnect. Then, I helped a customer build a risk management program before ultimately coming here.
How did that journey shape how you approach what you do?
There was a little bit of an awakening. Throughout that process, I was using subjective risk measurements like “inherent” versus “likely.” That’s where risk quantification came into play.
Really, risk quantification is a decision enablement tool. The whole crux of risk quantification is that it should enable me to make better decisions, whatever that decision is: Should I invest in this control? Should I patch this vulnerability versus that vulnerability? Should I invest in these other things? What should I do about this? Is this an acceptable amount of risk to my organization?
With risk quantification, I’m actually able to say, “Look, if this is the bad thing that you’re worried about happening, here’s how much it’s going to cost you.”
What does your role look like at ThreatConnect?
Officially, I help on the pre-sales side, where I give demos, help people figure out what their problems are, and explain, “Why is risk quantification better than what you do?” However, given my background, I also help out with customer success on the post-sales side.
A lot of the time, when people get into risk quantification, they want to measure everything. And yes, you can do that, but you’re trying to boil the ocean. You’re trying to do too much, too fast. So when someone does become a customer, I help them identify, “What are you all trying to do? How can we help you get there and also get value out of the platform?”
What, to you, is the top benefit of risk quantification?
Honestly, it goes back to that ability to make an informed decision that’s defensible. If you’re going to go to an executive, or your board, or whoever owns the money organization, and say, “I need $10 million to fix these problems that we’re going to have,” it’s not enough to say, “because I said so.” It makes a difference to actually be able to say, “Look, I need $10 million because it’s going to reduce our risk by $20 million.”
How do you assign a dollar value to a risk?
To quantify risk, you basically need to ask a couple of questions: first, what problem are you trying to solve, and second, what’s the bad thing you’re worried about happening?
If you’re able to say, “This is the bad thing I’m worried about happening” — meaning, somebody doing something bad to a thing of value — then the last question is, what are you doing to protect yourself from that? So let’s say you’re trying to protect valuables inside your house. If you’re living in a high-crime neighborhood, are you leaving your door unlocked?
That’s basically what risk quantification is. It’s saying, “When this bad thing happens, what’s the impact on me if this bad thing were to happen?”
How do you spend your time outside of ThreatConnect?
My wife is a pediatric ICU doctor and a malaria researcher, so we spend six months out of the year in Africa. I can still work there, but that’s an interesting thing. I enjoy traveling — being able to visit new places and try new things. And then, we have a ten-month-old, so that’s a whole interesting new adventure.
But other than that, I’m a quasi nerd. I’m not as nerdy as other people, but I enjoy playing board games and things like that.
What is your favorite board game? The obvious choice here would be Risk!
Surprisingly, not Risk. I would say, like, Settlers of Catan or Ticket to Ride — those types of strategic games.
And how do you balance working while traveling abroad in a different time zone?
Ultimately, I adjust my schedule. I still basically stay on Eastern hours. Because of my role, I support global, so I don’t usually start my day until the afternoon over there, because it’s six or seven hours ahead, but it’s also more convenient for me to work with some of our international clients because of the time difference.
Have you traveled since welcoming your little one?
We went last year. That was a little bit more challenging, because she was only three months old at the time. We had somebody who would help watch her a couple of days before that time, and then my wife and I would just switch off, but she didn’t want anybody other than us. It was only for a month, so it wasn’t too bad. We’re hoping that this time around, she’ll be more open to having other people hang out with her.
Does working in risk quantification and risk management shape your approach to problem-solving and prioritization in everyday life?
I would say yes, mainly because everybody deals with risk. For example, if you’re married, you’re taking a risk telling your spouse that you’re going to be home at 6:00 if you won’t get home until 6:30. If that happens once, OK. But if you’re consistently wrong, there’s risk management there.
So, yes, I would say that working in risk quantification has helped me take a logical approach to asking, “Is it worth the outcome in doing things a certain way?” But then again, I am also a risk taker. I’ve gone bungee jumping twice, and I would do that again in a heartbeat. I’ve gone skydiving twice. My wife’s like, “You work in risk. Why do you want to do this?” And I’m like, “Well, because it’s fun!”
