Security breaches and malware can cost companies millions. Just ask shipping giant Maersk, which reported that the NotPetya ransomware attack in June cost its business between $200 million and $300 million.
An extreme global attack — a hack that takes down a cloud service provider, for example — could see economic losses totaling $53 billion, according to research from Lloyds of London and cyber risk analytics modeling firm Cyence.
For this reason, security is no longer confined to a corner of the IT department. And quantifying risk in probabilities and dollars is opening up a whole new market for software companies that can help enterprises measure and mitigate this.
“It’s relatively new from a software provider standpoint,” said John Wheeler, a Gartner analyst. Gartner started covering this integrated risk management market, which covers strategic, operational, and IT risk in 2015. The firm recently published its first market forecast, which found that by 2021 more than 50 percent of large enterprises will use an integrated risk management product or system, up from about 30 percent today.
Additionally, by 2020 at least half of the integrated risk management products on the market will be software-as-a-service (SaaS), up from about 25 percent today.
Wheeler cites Maersk’s loss along with the pharmaceutical firm Merck’s SEC filings, which also reported millions in losses from the NotPetya attack. The malware disrupted its worldwide operations, including manufacturing and sales, costing it more than $300 million in the third quarter of 2017.
“We’re starting to see more of these tech events impact true business operations, and that’s really driving the greater need to understand the potential exposure a company may have,” he said. “The integrated risk management marketplace focuses on software providers that can link IT risk and operational risk together, understanding the interplay between the two and the impact on a company’s strategy. And that’s where this quantification is really needed in strategic decision making.”
Software that Quantifies Cyber Risk
RiskLens is one of these software companies that helps enterprises quantify and manage security risk. Its risk-quantification software is built on the Factor Analysis of Information Risk (FAIR) model, an international standard for information security and operational risk. Customers include Bank of America, ADP, Walmart, and Chevron.
The catalyst for RiskLens’ technology dates back to 2001 when RiskLens co-founder Jack Jones was working as a chief information security officer at Nationwide Insurance. “As a new CISO you go on your dog and pony show and beg for money,” Jones remembered. One of the executives asked him to quantify the company’s cyber risk. “I was hoping he’d ask me to talk about vulnerability. He said: ‘How much risk?’ Lots. ‘If I spend money on these initiatives, how much risk will I then have?’ Less. I left the meeting recognizing that those are very real questions and they deserve a very real answer.”
Jones co-founded RiskLens in 2011 with Steven Tabacek. “If an organization wants to be cost effective in risk management, then it really needs to quantify its risk,” said Jones.
The company’s software “provides a user interface to simplify the analytic process for the user and then the underlying computational engine,” Jones said, adding that he’s heard the user interface described as “Turbo Tax for risk analysts.”
Another security risk company Corax launched in 2013 to “give the enterprise the ability to understand cybersecurity and put risk into the language of the business,” said Ross McIvor, chief marketing officer at Corax.
Its platform takes technical data around a company’s assets and security, and blends that with corporate and financial data. “Then we layer over the top of that external data we are capturing — things like threat intelligence,” McIvor said. “Once we put all of that into the platform, we are able to give them a statement on the potential financial impacts.”
Cyence, a startup that launched in September, combines economics/risk modeling and security. Its software quantifies risk from an economic standpoint. Last month Guidewire Software, which provides software to property and casualty insurers, acquired Cyence for an undisclosed amount.
Proactive Cyber Risk Management
As these companies and insurers build and refine the risk and insurance model, it will influence how CISOs and CSOs react to and manage their risk and businesses.
“Top performers,” Wheeler said, referring to these leading companies that treat cyber risk as a business risk instead of an IT silo, “understand that the risks they face are unique to their organization. By understanding those risks, they can better evaluate and prioritize the threats and vulnerability they have within their networks but also into their broader digital ecosystems — suppliers, vendors. And by allowing that risk view to guide them, they can be much more efficient and effective and proactive in managing the risks they face.”
The laggards, on the other hand, will continue “firefighting every threat that is out there,” which Wheeler calls a “futile exercise.” This is because threats are infinite. “And even the well-known threats, by the time they get to that state it’s too late,” he said.