David White

David W. White is no longer with the Carnegie Endowment for International Peace.

David W. White was a nonresident scholar at the Carnegie Endowment for International Peace and President and Co-founder at Axio— a company with an innovative methodology and software that provides companies visibility to their cyber risk and enables them to prioritize investments to protect their business and employees. David leads Axio’s federal and academy team and consults with various critical infrastructure clients on cyber risk. David also serves on the faculty of ISTARI Navigator, an executive education program developed between ISTARI and the University of Cambridge Judge Business School on building organizational cyber resilience aimed at senior cybersecurity and technology leaders.

David co-developed Axio’s cyber risk management process and continues to refine the assessment, risk modeling, threat analysis, and insurance analysis activities that comprise that process. He is an expert in cybersecurity frameworks and maturity models, cyber risk quantification, and cyber insurance. He works with customers in the energy, utilities, financial, manufacturing, pharma, medical device, professional sports, and entertainment sectors.

David served as chief architect for the Cybersecurity Capability Maturity Model (C2M2) version 1.0, co-authored the CERT Resilience Management Model (CERT-RMM), and was the chief architect for the Smart Grid Maturity Model (SGMM). He remains involved in critical infrastructure cybersecurity thought leadership, including serving in a leadership role in the development of C2M2 versions 2 and 2.1 in support of the US Department of Energy. He is a frequent speaker at board meetings, conferences, webinars, and other events.

Prior to Axio, David worked in the CERT Program at the Software Engineering Institute at Carnegie Mellon University, a cybersecurity research program primarily funded by the US Department of Defense and Department of Homeland Security. He provided technical leadership for a portfolio of cybersecurity maturity models, diagnostic methods, research, and training.