Last week, the IT Security Guru team attended Cydea’s Risk Management Platform launch in London. After the event, Robin Oldham, CEO and Founder of Cydea, sat down with the Gurus to answer some questions about risk management and why it’s critical for businesses to take it seriously.
Established in 2019, Cydea set out to expel fear, uncertainty and doubt when it comes to really understanding risk. They aim to manage and not abolish risk altogether. Asking: how likely is likely?
Firstly, what is the new Cydea Risk Management platform? According to the team, the platform is set to quantify threats in financial terms to businesses, allowing them to visualise the consequences of different business security-related scenarios. By giving a monetary value to risks and cyber threats, the company says its new platform is designed to enhance Board-level communication, speed up decision-making, optimise investments and foster collaboration across all stakeholders. This includes business leaders, CISOs, IT teams and security professionals to prioritise and reduce cybersecurity risks to the business and help meet regulatory compliance.
But why is this important for boards? And why is it so hard to get budget consideration when it comes to cyber?
According to Robin: “We know that cybersecurity is a high priority for boards: 75% say it is. (See: DSIT). However many security teams don’t present in terms that the board can understand and so struggle to get traction. That’s not surprising: “likely” can mean anything from 30%-80% to different individuals, and I’m not sure if you’ve ever tried adding up colours? It just ends up as a muddy mess! Also, for many, the ‘budget request’ is the first time for the senior conversation, rather than the culmination of a process.”
“Our platform helps security teams better engage with their business colleagues from day one. What are the important business activities? How do they contribute to the organisation’s objectives? How might we model those things? By engaging senior colleagues from the beginning, they’re already aware of and have faith in the outcomes of your request. And the financial quantification is the cherry on top: the ROI is immediately obvious!”
Cydea’s Risk Management Platform is built on the popular as-a-service model that is currently booming. How do you think the as-a-service model lends itself to risk management? Why was this the next step for Cydea?
“Risk management is never done. The cyber threat landscape is constantly evolving. For Cydea, this is a shift from one-off reports – immediately out of date and gathering dust on a shelf – to helping customers achieve enduring benefits. The subscription model also lets us add in support for new control and compliance frameworks as these evolve, ensuring that customers are always up-to-date.”
“Since founding Cydea I have said that if we, and our customers, really believe in something then we’d codify it. For many consultancies that means ‘accelerators’ in the form of transient report and presentation templates, but for us that means really codifying it. Plus, any subsequent consulting engagement will also be more cost-effective as we know what format and quality the data will be in.”
The platform was created after speaking to multiple business leaders and IT teams. Working with these customers, Cydea built a product that works for businesses and their needs and can be seamlessly integrated into their tech stacks.
How can organisations improve risk management?
“We see a lot of organisations using poorly defined, qualitative terms in their risk management processes. Our own research, and that of NATO, has shown that “likely” can be interpreted as anything from 30%–80%. That’s a huge difference when it comes to deciding if something warrants further attention.”
“The pervasive ‘5×5’ risk matrix is also a really low-resolution way of presenting results. Significant time and resource goes into conducting risk analysis, only for it to be boiled down to one of 25 different positions.”
“We believe it’s better to start ‘top down’ and quickly assess risk posture based on common business metrics – like revenue, headcount, etc – and model the business activities, rather than trying to understand the state of every single device in their environment.”
The platform was created after speaking to multiple business leaders and IT teams. Working with these organisations, Cydea built a product that works for businesses and their needs and can be seamlessly integrated into their tech stacks.
How has this informed the product? What are the biggest pain points of organisations right now?
“We always start with customers and what’s important to them. Building Cydea Risk Platform was no different. Customers, design partners and early adopters have all contributed to our user research that’s directly shaped what we’ve built. I think it’s a huge contributor to why we’ve gotten such overwhelmingly positive feedback with the launch.”
“Organisation’s struggle to know if they’re investing time and resources in the right areas. You can’t do everything, so risk assessment is a key part of how to prioritise that investment – be it in time or financial. Cydea Risk Platform helps organisations to have better conversations about cyber risk. It allows people to quickly and clearly model their cyber risk, what’s acceptable, and what they’re going to do about it.”
“It also helps security teams to show the progress they’re making: when they knew about a particular scenario, how they’ve assessed it, status of remediation plans, and a whole host of other routine hygiene operations. Kaluza are using it as part of their weekly, monthly, and annual updates, right the way up to the strategic level.”
What do customers say?
A representative from Kaluza spoke on the night. They noted that the ability to tangibly show the results of the tools that they’re using and the security schemes they’re engaging with as a real strength. Being able to do this in real time? In a way that integrates with business practices? Even better.