In this Help Net Security interview, Sumedh Thakar, President and CEO of Qualys explores the vision behind the Qualys Enterprise TruRisk Platform, a strategic move aimed at redefining how enterprises measure, communicate, and eliminate cyber risk.
We delve into how Qualys assists CISOs in the complex balancing act of managing critical issues under budget constraints, the financial implications of cyber risk, and the advanced capabilities of the TruRisk Platform in providing a unified view of enterprise risk.
You are launching a new vision of “Measure, Communicate and Eliminate Cyber Risk” and you’re calling it the Qualys Enterprise TruRisk Platform. Can you explain what that vision entails and why you’re using that as your company north star?
Today, nearly every business is a software business, relying on software to run core operations, which makes them susceptible to elevated cyber risk and breaches. Cyber risk is business risk. Even attackers and ransomware gangs now organize like a business. They are optimized to focus on using the best tools, including AI, so that they can make the biggest profit possible.
The idea that cyber risk poses a comprehensive threat to the entire enterprise has gained traction and resonates with CISOs. CISOs find themselves in a challenging position, squeezed from both ends. On one side, there’s immense pressure to address critical issues, while on the other, budget constraints add to the stress. They are tasked with doing more with less.
Recognizing the difficulties CISOs face today, Qualys aims to go beyond conventional tools, such as multi-factor authentication and scanning. Our goal is to assist enterprises in accurately measuring and quantifying their cyber risk, effectively communicating this risk to stakeholders, and actively working towards its swift elimination.
What does it mean to “de-risk your business” and how does Qualys help businesses do that?
The term “de-risk” has traditionally been used to describe how financial service providers and institutions, such as insurers and reinsurers, avoid risk with a client rather than simply managing it. However, as cyber risk has become a dominant contributor to any organizations’ overall risk posture, de-risking a business from cyber risk has become a central focus of executive stakeholders, from the CEO to the board of directors.
A business’s cyber risk can be much higher than its physical risk. For instance, while it’s rather unlikely today that someone might walk into a bank to rob it, there’s always the constant threat that the banks’ critical servers might suffer a cyberattack. With any risk, the question is, how do I reduce that risk and how much is the company willing to pay to reduce that risk? The answer to that must be anchored in being able to calculate and communicate that risk. If you can measure and communicate it well, you can then work on reducing the entire risk to your business. This is where Qualys comes into the mix. We have a major role to play in de-risking our customers’ business through cyber risk measurement, reduction, and communication.
This is the direction we are moving as a company. Our newly announced Enterprise TruRisk Platform will empower customers with a transformative approach to cyber risk management that offers a fresh perspective on measuring, communicating, and eliminating risk within the business. The platform will advance to bring in external ecosystem risk factors from third-party IT and security tools to provide organizations with actionable remediation options that lower their risk exposure – thus de-risking their business.
What is the financial impact of cyber risk to CISOs and their organizations?
CISOs are being pushed more into the conversation of the financial impact of cyber risk. In fact, it’s not just the CISO’s job, but a company-wide imperative to identify the most important applications and aspects of the business, and how much financial liability or loss is possible. This has really come to the fore in the last few years, because as cyber risk started becoming more important, CISOs wanted a seat at the boardroom table. But the board doesn’t necessarily understand the cybersecurity complexities of a zero-day vulnerability or multi-factor authentication. It cares more about the topline, bottomline and business risk. This concept of being able to quantify the risk to your business applications, communicate that financial risk, and decide how much you’re willing to spend to reduce risk is becoming increasingly important.
If you had two business applications with the same vulnerability, one with a risk of $5M a year versus another with a risk of $500M a year, where would you prioritize your resources? If both get hit by a cyberattack, the fall out would be very different. This financial risk calculation is also important from the CFO’s perspective. The enterprise needs to be able to account for how its limited cybersecurity budget was spent, what it was focused on, and if the outcome of that spend was successful. By spending it in one area, were you able to make the company a lot safer? By being able to anchor these decisions on the business value and loss value and knowing where to prioritize resources, CISOs will be more successful in coordinating with executives across the enterprise and reporting to the board.
Qualys is enhancing its platform with the introduction of the Qualys Enterprise TruRisk Platform. What’s behind this change, What’s new?
Qualys started this journey about 18 months ago by introducing the concept of TruRisk in vulnerability management. We found that only a small percentage of vulnerabilities disclosed are weaponized. So, instead of trying to fix everything, companies should correlate the most exploited vulnerabilities with those that are most important to the business and focus on fixing them. This way, you are not only more efficient with remediations and save time and money, but you get a better outcome.
In our conversations with customers, this idea was very well received, and they asked us to include more risk factors. Besides vulnerability management, there are also misconfigurations, firewall settings etc. While we do collect quite a bit of risk factor data on the Qualys platform, we don’t have visibility into everything. So, by launching the Qualys Enterprise TruRisk Platform, we’re expanding our true measurement of risk. We are adding factors such as how much it would cost to reduce that risk and expanding how and who we communicate this information to.
On top of Qualys capabilities like misconfigurations and cloud security, we’re expanding to also include security ecosystem data from other security vendors that companies may have deployed and ingesting that into the same platform to give businesses one single view of risk. CISOs want to know what their top 10 vulnerabilities or risks are to fix. Well, if you have 50 different tools, you’d get 50 different “top 10” problems. With the Qualys Enterprise TruRisk Platform, we’re now consolidating that view across everything in the enterprise, so our customers can see the areas that are really impacting the most important parts of their business.