Choosing the Right Cyber Risk Quantification Solution Webinar

Toby:
Hi, everyone. Uh, welcome to the webinar. We’re going to give it a few more minutes to let, uh, more people people join, and then, uh, we will we will get started. So just a just a couple more minutes. Okay. I think we’ll go ahead and make a start. So, uh, thanks everyone for for joining our webinar today. Hey, Tim. Can you see my, uh, my slides? Yes. Okay.

Tim:
Uh, I I see There we go. Okay.

Toby:
Yeah. Okay. We’re good now. Thanks. This is a really taking its time today. Cool. So, um, thanks, everyone. As I said, thanks for joining our webinar. Uh, today, uh, Tim and I are gonna be talking about how to choose the right, uh, cyber risk quantification solution. Let’s see if the slides are going to, uh, network. There we go. Awesome. So, um, Tim, let’s start with you.

Tim:
Yeah. Well, and one one housekeeping note before we, um, jump too far in. If for whatever reason the screen is showing too small for you, you can always hit full screen and it’ll make the presentation bigger, uh, for you. So welcome everyone. My name is Tim Wynkoop. I’m a senior solutions architect here at ThreatConnect. Um, I’ve been in the risk management space for, gosh, over seventeen years now. I’ve been doing risk quant for nine of those seventeen. So we’re excited to talk about this and give that perspective. And also wanted to let you know if you hear any weird noises or anything in the background, I apologize in advance. Um, I’m currently not at home. I am currently um, actually in Malawi, uh, with my wife, uh, for, uh, her job. So, uh, just wanted to give you a heads up if you hear anything anything like that.

Toby:
And I’m Toby Busia. I’m, uh, I run product marketing here at ThreatConnect. I’ve been, uh, doing cybersecurity, everything from security operations to, uh, risk management, third party risk management for, uh, for over twenty years now. So, um, again, we’ve put up our our our LinkedIn invites there. So if you, uh, you do wanna reach out to us after the webinar, uh, please be sure to do that. So today’s agenda. We’re going to take a few minutes to explain exactly what cyber risk is and some of the challenges associated with that. Um, we’re going to talk about what exactly cyber risk quantification is as well. And then we’re gonna touch on some of the popular use cases and outcomes that cyber risk quantification, uh, can can empower for organizations, talk about some of the current approaches and solutions for cyber cyber risk quantification, and then, um, and then talk about the benefits of a modern CRQ type of solution. A little bit of housekeeping. So there is a chat function. I believe Sarah has, uh, has already, uh, uh, put something in there. So if you do have questions during the during the webinar, please put them into that chat. We’ll be monitoring that. Uh, Tim and I will answer those questions at the end. Uh, we are going to, um, offer a couple of winners, um, who do provide questions, uh, with a chance to receive a $50 gift card. So if you, uh, if you do submit a question, you will be, uh, entered to, uh, entered to, uh, potentially receive one of those gift cards in our in our prize drawing. But we do encourage questions as, uh, don’t don’t hesitate to put those in there as we go along with this, uh, this session. So, again, I think it’s important that we we kinda start just as, uh, you know, level setting, make sure we’re all kind of on the same page in terms of, uh, what we’re some of the terms and terminology that we’re gonna be talking about today. And and that first term is really, you know, what is cyber risk? So, Tim, I’ll I’ll hand it over to you to, uh, to give us, um, you know, we’ve got a couple of examples here, uh, but give us your, uh, your your understanding and, you know, how you, uh, how you view what the, uh, the concept of cyber risk is.

Tim:
Yeah. Absolutely. Thanks, Toby. Uh, so in when it comes to cyber risk in general, I mean, you can see it as we have on the screen. Right? There’s multiple definitions of what is cyber risk. But in reality, it is really just a way of understanding, um, like, what’s the harm if something happens. Right? Especially when it comes from a technology perspective. Right? So like as even as ISACA even defines it. It’s like the danger or harm of a loss related to the dependence on technology, right? I think that’s that kind of really hits it right on the head as far as when people think about cyber risk, what does that mean? Right? What what does that mean, um, for for me as an organization? Um, and that that goes into the questions of, well, what do I do about that? What is is there anything that I can do about cyber risk?

Toby:
Yep. Thanks for that, Tim. And so, you know, really, when we we think about that, you know, why is cyber risk important? And, again, we we have a couple of stats here on the screen, but, um, um, and this may may sound a bit, you know, cliche, um, but it is the truth. And that really comes down to the fact that as organizations, particularly in the last several years, have had to, you know, really accelerate their digital transformation and and their usage is, you know, kind of becoming digital, um, they’ve effectively created a larger attack surface. And you create a bigger attack surface, there could be more potential exposures, um, that create more risk for the organization. And, again, you know, um, there there’s a number of stats here about this. Um, so, Tim, you know, when we we look at some of these concepts like, you know, ransomware, for example, like, how is how how does that really affect cyber risk?

Tim:
Yeah. Well, I was gonna say as as you mentioned, right, the more reliance on technology that we have, and technology is great. Right? Um, it helps us do things faster, easier, and better. But with that, it also brings, um, more potential harm that could come to your organization. Um, a prime example is even, like, I’m sure everybody has heard about ransomware. Right? Um, if you haven’t, you’re probably on the wrong call. But ransomware, right, in 2023, it was increased by to over a billion dollars. And just something even more recent than just you probably just saw in the news today, um, it looks like UnitedHealthcare, uh, or UnitedHealth or or I don’t wanna I don’t wanna quote the yeah. I don’t wanna quote the wrong company, but they’re gonna be up to almost $1,600,000,000 from their ransomware event that just happened. Right? So and and that could be for a variety of different factors. Right? Could be their controls. It could be that they’ve reliance on technology, so therefore, they have all of these, like, their attack surface areas going up. And as as even some of the data is showing. Right? If sixty one percent of organizations, um, have experienced a ransomware attack. And with the average cost being around a hundred 1.1 and a half million dollars, basically. And that’s just from a ransomware. That’s not even including a data breach where even IBM is saying, look, in 2023, the average cost of a data breach was 4 and a half million dollars. Right? So it’s a big deal. Um, and that’s why, um, organization or governments and other groups are providing additional pressure on businesses, whether that be from the new SEC guidance that you just heard for publicly traded companies. Um, or for those in Europe, there’s a new regulation that’s coming out that’s it’s not out yet, but it’s coming out for it’s called DORA, the Digital Operational Resiliency Act. It has components in there of, are you able to be resilient if there was an event happened? And this is also why organizations like NIST are putting out a more, um, a an updated version of their framework of the CSF. Right? They did this version two just came out.

Toby:
Yeah. I think sorry. Go ahead, Tom.

Tim:
No. You’re fine.

Toby:
No. I was gonna say, I I I yeah. I I think I think what what’s interesting and and becomes a pain point for organizations is is why we refer to refer to as basically these are the bookends. Right? This is the stuff that’s kinda squeezing organizations because they’re getting it from the external perspective where attackers are coming after them. But simultaneously, you also have, you know, government and industry trade groups, etcetera, also putting a lot more pressure on on organizations as well to, uh, to to get better at at managing cyber risk. Mhmm. Tough place to be.

Tim:
Yeah. Well, then that’s that’s even the the nice transition. It’s like, well, how do you go about measuring it? Right? Yeah. Organizations have been measuring cyber risk ever since the inventive technology. Right? But the challenge it’s had is a lot of the time, it’s been very qualitative in nature or it’s based on feelings. Right? And that that’s fine and it works for, um, it works. But when it comes to prioritization, right, here’s the challenge, Which if you have two red risks or whatever red risks is, whatever you’re defining that as, which red is more red than the other red? Right? You it’s hard to actually make that decision, um, as far as which one should you actually focus on first. Or even if you’re deciding, hey, this is a red. Well, what and you’re asked why is this a red? Well, I I don’t know. I felt like that or I didn’t or I chose medium because when in doubt choose medium because if it’s red, you have to do something about it. And and medium, it’s you don’t. And green, you can’t have too many greens. So

Toby:
Yeah. I I I I as having been a practitioner, you know, on the enterprise side, um, many, many years ago, um, you know, before quantification started to, uh, to to emerge. I mean, this is the way we did it. Right? And you’re you’re absolutely right. It’s kind of like, well, let’s let’s have some conversations and let’s, uh, you know, let’s kind of almost kind of pseudo survey, uh, people and get their get their, uh, inputs and their guidance. And, again, it’s it’s kind of it it it felt like, you know, well, this is how I feel. Right? I felt like this was, you know, know, this was a medium, and it wasn’t really a high. And you don’t know what kind of biases that they’re potentially bringing to the to, uh, to that

Tim:
when they make those, uh, those decisions. Yeah. Absolutely.

Toby:
So we’ve got a few more challenges here. Right? So in terms of of of measurement. So, you know, I I think for me, um, these seem to be not just limited to cyber risk, for example. Right? I mean, these seem to be kind of universal challenges that we that we see in cybersecurity in in general, um, particularly visibility effort and, you know, kind of like, what data do I have access to? How do I do do analysis on that? So how do these specifically, you know, kind of, you know, when we get down and say, you know, how do these impact the the ability to measure cyber risk? You know, what what’s the where the specifics there?

Tim:
Yeah. And and that’s where it gets a little challenging. Right? Is there’s models out there that kind of maybe help you do some of those things, but it still is the challenge of visibility. Like, where how do I know what my risks are? How do I know where to focus my efforts? Um, right or I don’t have the resources that we need in which to do this. Uh, what do I do? Uh, and then where do I get my data from? Right?

Toby:
Yeah. It feels like, unfortunately, cyber risk management’s contending with the same, uh, you know, same challenges other, uh, other areas of cyber risk are or sorry, cyber security are as well. So

Tim:
Yeah. Even to the point where I’ve I even had some see people tell me, like, you you can’t do this. Right? You can’t actually quantify risk. Well, you can’t. Right? It’s been it’s actually been around for like I said, for almost ten years now. So

Toby:
Yeah. And so, you know, we we hear from customers, right, that, you know, there there’s these, um, I almost kinda kinda refer to them as, like, maybe mental hurdles that they have to get over. Right? They’ve either heard these things from other other peers, or they they may have experienced it kind of firsthand. But we definitely hear about these, you know, these just kind of common mis misperceptions going back to those things. Right? Like, do I have enough data? Do I have enough analysis? What’s the, uh, you know, it it’s, uh, it’s just too hard to do that. So right. I mean, I I think I think this is, um, that this is a a bit of a a struggle, you know, for for a lot of organizations that want make that bridge between the qualitative and the quantification approaches.

Tim:
Yep. Yeah. And I I mean, just being around for the appear the amount of time that I have, I’ve noticed these exact same problems. Right? Once you get over that hurdle of, well, this isn’t possible, then it goes to, well, it’s okay. I agree that it’s possible, but it’s too hard. Or am I mature I’m not mature enough for this. And then but that’s because the industry has shown, hey. There’s there’s ways in which to actually quantify risk. Um, and and one of those is a great option is fair. Right? But now the market has actually moved a little bit past fair as well. Right? It’s still it’s still there. It’s still important. But the there’s that common misconception that, hey. If I wanna quantify risk, I only have to I can only do fair. And that’s where some of the other challenges come into play.

Toby:
Cool. So now that we’ve talked about right. Okay. There’s these misperceptions or, um, that these kind of mental hurdles that people have to overcome to to get to quantifying cyber risk. Um, let’s kinda take another pause and say, well, what do we mean by by cyber risk qualification when we’re talking about that? Um, couple of definitions are up there. So, Tim, if you don’t mind taking us through,

Tim:
you know, kind of through Yeah.

Toby:
Some of these.

Tim:
Yeah. And and I’m not gonna read all of them. Right? Because, I mean, if you Google what is cyber risk quantification,

Toby:
you’re gonna

Tim:
get, yeah, you’re gonna get pages upon pages of what organize what vendors define risk quantification as or cyber risk quantification. Right? In at the end of the day, right, it it is the ability to define your cyber risk in financial terms and then ultimately to enable you to make better decisions. That’s really the crux of this. Right? No matter what uh, definition you go with, at the end of the day, if it’s helping you make better decisions, that’s the that is what risk cyber risk quantification is. I know that’s very general, um, but there’s a lot of value in what is some of the things that you’re seeing here. There’s a lot of different words. Simply put, make it a way so you can talk to the business, talk to your stakeholders in something that everybody will understand because not everybody understands. Oh, I have 50 vulnerabilities and, um, I need to do this and that and this control. And then people are like, what are you talking about? I just need to know how much money I need to give you.

Toby:
So, yeah, there’s a couple of, you know, common CRQ use cases, Tim. So, you know, which of these do you, uh, do you do you see most often? Yeah. Whether the popular ones or the ones you think are more more interesting?

Tim:
Yeah. Absolutely. So I I think the biggest one that I’ve seen in just being around for the long, big time that I have is the ability to understand what your risks are and then ultimately prioritize which control mitigations. Right? We have limited budgets, and a lot of the time, our budgets are getting smaller. Right? So how do you actually use the resources that you have in an effective way so you’re actually reducing your risk? So I think that’s one of the bigger ones is that mitigation prioritization. Um, but also, I think I’ve seen more organizations really need to have the desire to or they have the desire to prioritize vulnerabilities. Like, where like, how can we get better vulnerabilities? And then with that as well is, um, getting through your backlog of your business applications or assets that you may have is should we actually retire this end of life application because it’s no longer supported. Right? Well, a lot of the times I’ve seen organizations struggle be like, I’ve had this for years because I can’t get anybody to sign off to get rid of it even though there’s other tools out there that may be better for what we’re actually trying to do. And then more recently, obviously, the is the SEC piece of being able to say, well, what’s material? How do you define what’s material is if you basically if you’re not quantified? So

Toby:
Yeah. No. I I I I haven’t, you know, like I said, been on the, uh, on the enterprise side for a while. I I’d I’d agree. Vulnerability prioritization, for example, is a classic case. Like, there’s there’s so only so far you can go with the existing ways to measure, um, you know, the severity of a of a vulnerability. And, um, you know, you you do ultimately end up at a point where you kind of have to make some tough decisions in terms of, you know, there’s gonna be trade offs in terms of which vulnerabilities you can you can mitigate, you know, for in in some period of time. And then you kinda get stuck because you don’t know, like, okay. Well, if, um, you know, I always use the kind of example of if you have, uh, if there’s capacity for ten ten, uh, vulnerabilities to be prioritized and remediated this month, and you have 20, how are

Tim:
you gonna how are you

Toby:
gonna choose those 10? Right? You don’t don’t wanna have don’t have to go on gut feel. And that that’s not a that’s not a good position to be in. So, yeah, that that’s one. And and I think in terms of, like, uh, improving risk communication, right, to to your to your earlier point, you know, that that’s a I I I I’ve heard that that’s, uh, you know, a common challenge. Right? How do how do, uh, cyber risk managers? How do CSOs actually communicate upwards to to the executives and to the board and really discuss risk in in business terms. Right? Financial terms. And so it definitely, uh, definitely helps there.

Tim:
Yeah. And I think because of those, like, regulations that are coming down the pipeline, right, CSOs are getting a seat at the table when it comes to the boards and things like that because they need to be able to answer to what are we doing for those things? How are we managing this? Yep. Spot on.

Toby:
Cool. Okay. So let’s go past the use cases, and I’ll actually get into more of the, uh, technology. Like, how do you do this piece? So, um, you know, we we’ve identified that there’s kind of three buckets of of technical solutions, technical approaches that are typically done, are typically used by by enterprises, uh, you know, the DIY kind of in house. And this ranges everything, you know, from everything in terms of being a custom app versus, uh, using spreadsheets. Right? Um, still a lot of spreadsheet use out out in cybersecurity operations these days. Um, but then you also have, again, you know, because FAIR has been out there for a while. You’ve got the or the the apps that are, uh, driven by FAIR, and then, um, you know, some of some of the more modern kinda data and AI powered ones. So what what’s your insights on this one, Tim?

Tim:
Yeah. And I and I think that goes back to, like, how have we been measuring risk in the past. Right? Very qualitatively. And then as the switch to even quantification has come into play, people are like, uh, alright. I’ll only see what I can do for myself. Right? Which is they wanna use their own data. Right? Which is why, okay, let me just build something internally because it’s it’s too difficult. Okay. Well, and then there’s organizations that are using FAIR. Difficult. Okay. Well and then there’s organizations that are using FAIR. And to be clear, I’m a fan of FAIR. Right? That’s how I got into risk quantification to begin with. Um, so FAIR is great, but it also has its limitation. Right? Especially if you’re trying to to scale that. Right? It serves its purpose. It has very good use cases for what it’s designed to do. But then as soon as you, um, are trying to scale that anywhere, that’s where it gets a little bit of challenging, which is, again, there’s there’s things out there that are helping to hopefully do that. And then more or more often than not, people wanna be able to say, well, how do I reduce my effort that I’m spending on risk quantification? That’s where the machine learning or AI powered, um, apps are coming into play. Right? You’re seeing more and more of that. And it’s not this people are like, oh, it’s AI. You should be scared of it. No. It’s there’s there’s various aspects of that you can leverage AI in a way that actually helps you, uh, manage your risks in in a, uh, way that is beneficial.

Toby:
So it it feels like we’re we are seeing these solutions trying to tackle each of these, you know, the visibility issue, the effort issue, the, you know, data and analytics or analysis aspects of, uh, of those challenges that we mentioned before.

Tim:
Yeah. Absolutely. Cool.

Toby:
So yeah. Take take us through so some of these key attributes that we identified to them and kinda how they overlay to the, um, you know, to those kind of three broad, you know, broad buckets of, uh, of of approaches used to, uh, to do CRQ.

Tim:
Yeah. Absolutely. So, obviously, if you’re in the if you’re in, like, I wanna build this by myself, a lot of the drivers of that is you may not be happy with what’s out on the market, or you want to do some of your own, like, custom analytics from that perspective. Um, or you feel like you feel like, hey. This we we can scale this better because we have we have a lot of really good data sources, um, that we wanna use. Right? That that’s one thing. And then, obviously, from the Fairbase solution, um, they’re great and and whatnot, but the challenges that you run into there is it gets a little challenging to, um, use, like, your own data. And you may think, like, well, yeah, I am using my own data. Well, a lot of it is still based on a lot of subjectivity. Right? You may have a data point, but it all depends as far as how you’re going about defining that. It it allows you to, um, there’s just a lot of effort that tends to be needed in which to do it from that perspective. Um, but, again, it does also support a wide range of use cases. Right? So whether you want to use it for pure cyber scenarios or or even leverage the platform for things or leverages, uh, fair for, like, things more like operational risk. Right? Gives you that flexibility. And then, ultimately, the machine learning or data driven approach, right, allows you to do a lot of that, right, in a very easy fashion where you can actually map it to things like MITRE and being able to actually understand what you those, um, external threat actors might be doing within your environment, um, without without you trying to guess. Like, hey. What how could somebody do this? Right? You usually have to ask that question. Hey. If I have this particular type of an attack, well, how does this actually happen in my own environment? Right? Let’s take that out, and let’s let let’s let them, um, AI do that for you.

Toby:
Yep. Cool. So yeah. So we have a product, risk quantifier. Um, can you take us through kind of the we have the platform slide here. Can you take us through the the the key components of of that?

Tim:
Yeah. So yeah. Absolutely. So when it comes to the the the RQ platform, again, you’re you’re here. You’ve expressed some sort of interest in risk quantification. So, yeah, our platform, what we do is we, um, we come to the table with data. Right? We have industry data from loss data. We have our own attack path we have our own attack modeling that has been done. Right? Because, um, if for those of you that are not familiar with ThreatConnect, we actually also have a threat intelligence platform on the side of the house. Right? So that gives us that experience in that area to be able to say, hey. Here’s the types of attacks. And then we also, um, have industry data from it when it from, um, open source, like things like the Verizon DBIR report as an example. Right? That’s an open, uh, that anybody can get. We also have data that we pay for, right, to help, um, augment uh, from a loss perspective and from a threat perspective. And then there’s we also have our own data science team that goes out and does their own research and then, um, takes the data and and puts it in a way that is defensible for your organization. And then the only thing we ask of you is to define the parameters. Right? Is what type of organization you are, where are you at, and and then what what are the potential controls that you have in place. And then the platform is gonna be able to do all of that, and we can tie this in, um, as with as much automation as you would like, um, whether you wanna tie it into your GRC, your CMDB, where you’re trying to get all the pieces of information that you would need to help define what those parameters are to ultimately help you answer those questions of, well, which control improvement should we focus on? Or, um, how much risk do I have to to for this particular line of business as an example. Right? There’s a lot of different options that depending on what you’re trying to answer.

Toby:
Cool.

Tim:
And then, ultimately, as we, um, when we go from as as what what I kinda touched on a little bit with the platform is we give we don’t just stop and say, hey. We we first, what we do is we tell you, hey. Based on those parameters you put in, here’s what your risks are. And then we take it in so that way, you can actually take a look at your risk, whether it be for a particular line of business, maybe you’re looking across um, a multiple or you’re looking at a particular region, whatever it is, you’re able to see what those are. And, again, what it’s doing is it’s taking your information, mapping it down to the MITRE ATT and CK framework. So really focusing on those external actors and and basically saying, here’s the things that you should be worried about. Now that’s great, but the also the challenge is or the next logical question in there is, well, what do you do about it? Right? So that’s why the platform actually, um, also provides automatic recommendations to say, here’s what you can do to mitigate this risk. Right? If you improve it by one level, if you improve it by two levels, three levels, four levels, whatever it is, um, from your controls perspective. And here’s what it would actually do to your overall exposure. Here’s how much risk from a dollars and cents perspective that this particular control improvement would actually have within your environment.

Toby:
So, effectively, someone provides input someone provides inputs. Right? Yep. Provides inputs. Our queue does the work. Yep. You get you get and you get these outputs. Right? Okay.

Tim:
Yep. And and that’s where again, as we talked about those, we’ll say those three different, um, approaches from, uh, like, either do I build my own? Do I use PureFare? Do I use, like, machine learning? Right? This everything you’ve seen right now is actually on the machine learning, um, but that’s where, um, we also recognize, hey. There’s multiple like, there’s different ways and different ways of answering a question depending on what question you’re trying to answer. So that’s actually where the platform comes into play. We kinda give you the ability to have your cake and really eat it too because we actually support both the ability to do a fair analysis. Um, we also have tried to automate the fair process for you. So it it takes it a step further, um, allowing you to ingest your controls. But then we, um, also to leverage the machine learning piece. Right? So you actually get all of those different options within one platform, um, that that you can choose whether what modeling approach do you wanna take based on the question you’re trying to answer or for the group you’re trying to answer it for.

Toby:
So so from an our queue perspective, we’re not we’re not locking you in, if I can summarize it that way. Right?

Tim:
Pretty much. Yeah.

Toby:
Okay. Cool. So it’s it it definitely has that level of flexibility. Awesome. So cool. Um, I guess it really liked the meme. Uh, Yeah. So that’s that’s pretty much it for the, uh, for the presentation. If you’d like to learn more about our queue and how it can fit into your organization, you can reach out directly to us. Like I said, you know, we’re we’re available via LinkedIn. You can, uh, hit this link up, uh, to request a customized demo. Or if you’d like to, uh, to go take a tour right now, we actually have kind of an interactive demo available at, uh, backslash r q dash tour. So multiple ways if you’d like to, uh, if you’d like to learn more to get in touch with us. So with that, it is time for q and a. So it looks like we have quite a few, uh, quite a few questions. So I’m just gonna stop sorry. Start from the top, Tim. And Yeah. We go from that. So, uh, so Maria asked, are there any shareable datasets that show cost which supports the cost of impact figures you quote? And Yeah. So probability. Sorry.

Tim:
Yeah. So a a lot of that is is the industry data. So, like, example, um, for the cost perspective, a very, um, uh, there’s a lot of well known sources, but there’s also a very large data set that is a paid data set, um, is something called Advizen, um, or I think it’s like a Zywave company, uh, just to be clear on that one, um, where a lot of organizations, a lot of CRQ vendors specifically leverage that dataset to, um, say, hey. Look. Here’s what actual losses are look like or for organizations that have actually incurred events. Um, and that’s where being able to also show, hey. We’ve actually back tested this to show, hey. Here’s here’s here’s what the actual loss has showed versus here’s what the platform kinda calculated. Now when it comes to probability, um, the probability it’s really the probability of what? Right? If you’re talking about uh, a particular type of an attack, if you’re talking about a ransomware attack, well, there’s data like, um, Verizon DBR is a good one, but also there’s, um, something called the imper Imperva web application attack report. Um, and then even the Scientia I think it’s Scientia Institute or something along those lines has, um, has information as far as what what do attacks look like, um, and and what’s the probability of this occurring within your environment or kinda gives you a very industry level perspective without it seeing, hey. This is what your, um, industry or your organization looks like. So hopefully that helps.

Toby:
Cool. So Leon asked, what are the presenters’ view on Hubbard’s book? So I’m assuming this is how to measure anything in cyber risk quantification?

Tim:
Yeah. So it could be is it the failure risk management? Is it the, um, or the how to measure measure anything or how to measure anything in cyber risk management version one or version two. So it depends on which one. Um, I like Douglas Hubbard. I think he he kinda laid the framework for for just showing that, hey. You can actually quantify things. Um, I really loved his example of being able to, um, quantify the number of piano tuners in Chicago in, like, nineteen seventies or something like that with with very minimal information. Right? So I think that’s was kind of the crux um, for, like, where where FAIR kinda was was coming into play. And then I’ll go ahead and answer his next question. And I think I’ve already answered this, but like I said, I’m a fan of FAIR. Right? FAIR FAIR is great. It has its use cases. It’s a really good way of breaking down your your, uh, risk into its various components of probable frequency and probable magnitude of future loss. Um, but outside of that, it does get a little challenging. Right? So, again, I’m a I’m a fan of it, but when you’re trying to scale that and I’m speaking from experience here. Right? I’ve tried to build fair based programs. It’s just a lot of effort, um, and you have to do a lot of conversations with subject matter experts. And there’s still regardless of what you’re getting a subject matter expert’s estimate, there’s still a lot of subjectivity in there.

Toby:
Uh, so Chris asked kind of a question. Um, it’s kind of assumed that our view is that fair isn’t fair isn’t the only option. So hopefully, we answered, uh, we answered that question because we do think that there are other there are other approaches in just fair. Um, again, so, you know, good good approach, but but there definitely are other, uh, you know, tools in the toolbox. Uh, Jerry asked, do you think CISOs are scared to show how much cyber risk the organization they support?

Tim:
I I

Toby:
think that’s a great great question.

Tim:
Yeah. Um, I think to some extent, yes. Um, I’ve been I’ve seen organizations. We’ve actually have one of our customers that has that it wasn’t their CSO was afraid. They they were actually saying, hey. Look. Here’s what a risk is. But their legal department was like, hey. We’re we’re not gonna show that. Right? Because, um, they feel like it’s if they’re showing that, then it it they’re they’re held liable for it. They’re held responsible for it. Well, I think that’s where some of, like, the regulations are coming into play where it’s they’re kind of taking that fear out of the mix. Right? They’re saying you must do this. You have to do this. Right? You have to show what’s material within your organization. And and really the only logical way to do that is to show dollars and cents perspective. So hopefully that helps. Yeah.

Toby:
So so another another great question from Maria. Can we use the data from, uh, ThreatConnect to quantify an organization, uh, operates in less risky fashion so we can get better insurance coverage and, uh, for for less dollars. So, um, yeah. Can it correlate payouts and an actuary data to to the control domains of the environment? Yeah. It’s a fantastic question.

Tim:
Yeah. So we’ve actually gotten this question a lot as far as will it actually reduce your premiums. Um, I would like to say yes. But, um, I think the jury’s still out as far as if insurance companies will are willing to do that, um, um, to to show that. But a lot of the time, what I’ve seen is if you can actually show, like, hey. Look. We have these things in place. Um, it definitely gives you a larger, um, we’ll say negotiating tactic, uh, to be able to say, look. We’re we’re taking extra steps, right? We’re actually understand what our risk is, and therefore, we only wanna insure against maybe our eightieth percentile, right? Um, just a little plug for the platform. We actually have a section in the platform that allows you to do just that and saying, hey, what is your risk from a high level perspective? And if we were to insure against whatever percentile we’re looking at, um, how much risk is or how much is that? Right? And then to allow you to answer that question is does is it worth that extra spend? If they’re telling me, hey. You you need a hundred million dollars worth of, um, insurance coverage and but your risk is only $50,000,000. Well, why why pay that extra money? Uh, so Totally.

Toby:
Uh, so Chris asked, is there an actual sweet spot that uses all the solutions? So I I think, hopefully, we answered that. We we believe RQ does does does address all those. Uh, Leon asked, what are the pros and cons of reporting a single number for CRQ, like estimated value versus reporting a distribution? Good question.

Tim:
Yeah. So that that’s a good question. As far as reporting a single number. Right? If you’re reporting a single number, what is that single number? Right? Are you reporting the average? Are you reporting the most likely value? Um, what what is it? Now it is good to show, like, what from an annualized value. Right? So a lot of the time you’ll hear this a l e or annualized loss exposure or expectancy. Right? If you’re reporting on that, that’s part of the story because because it does take into account the frequency. However, what I found is a lot of organizations tend to get confused by that or the stakeholders are getting confused by that, uh, because, like, well, hey, we had an event and it actually cost us $10,000,000 and you told me our losses would be a million of dollars. Well, that’s where I found it from what I’ve seen more often than not is it’s better to actually report on multiple numbers, numbers. Right? So what is it how much is it gonna cost you when it happens? And then overlay that into, okay. Well, now let’s take into account what this actually looks like in our environment as well as how frequently this type of thing could happen. Uh,

Toby:
so cool. Uh, let’s see. Jerry asked I think he stated that AI could be used to calculate CRQ. Can these LLMs be shared with the business? So I guess sounds like the type of question around, uh, kind of transparency Um. Models to the business.

Tim:
Yeah. So within the platform itself, um, we, uh, we’re not a black box. I mean, we we actually show we have an entire section within the platform saying, how do we get to these numbers? Right? So this allows you to be able to say, hey. Here business, here’s here’s the information that we have. Here’s the information that went into it. Here’s the data that we used, right, and where it came from. So we kinda we do give you that, which then would allow you to then share that with your lines of business or the whoever your stakeholders are.

Toby:
Cool. Uh, Leon asked, are cyber insurers expecting CRQ, and are they using CRQ themselves?

Tim:
I have seen, um, I’ve actually had, uh, quite a few conversations with a few different insurers. Um, I think they are just starting to get into it. Um, so I do I I haven’t seen them say this is expectation yet. Um, that could change, obviously, as as additional regulation comes out from the various governments. Um, but I have seen them start to use that because they’re, again, they’re the goal of what we said at the very beginning is the goal of risk quantification is really to enable better decisions. Right? They’re making decisions just like you are, but their decisions are should we actually go into, um, like, should we give you a policy in reference to to this? Right? And so I’ve actually seen some uh, we’ve actually had been in conversations with a few, um, insurers as well to say, hey. Can you help use this? And also kind of put a bug in their ear as far as can you use this to, uh, potentially reduce people’s premiums that they’re they’re paying because of CRQ. It’s not quite there yet, but I think it’s it’s on its way, uh, in the near future.

Toby:
Cool. Uh, Spiro’s asked, how easy is it to find the required data within an organization, quality volumes, etcetera, in order such a solution provides the ROI management, um, seek?

Tim:
Yeah. So what I found is it’s actually much easier to find the data than you may realize. Um, some of it is a matter of what question are you answer or what question or how you ask the question. Right? Um, and it could be as far as that’s where I think a lot of the machine learning models come into play, right? We can with some very high level information or decently high level, which is generally found within like a CMDB or a, sorry, a, uh, asset management software like a CMDB for those that are not familiar with that terminology, um, or a GRC, a governance risk and compliance like ServiceNow, Archer, any of the GRC platforms that are out there, um, is usually has a lot of data. Um, and then ultimately relying on the last, like, we’ll say, place in which to find data, um, is generally just asking questions, going out to potential application owners saying, how much data do you have in there? And then when it comes to, um, the return on that investment, return on that spend, that’s actually a two, uh, two pronged approach. One is you have to understand, well, how is improving this particular control going to change my risk? And then secondarily, once you know that, like, well, what do we actually have to do to change our risk? Right? What if we go from a level two to level three from a NIST maturity perspective for, uh, for asset management as an example, What does it actually mean to do that? And then that allows you to then go and say, alright, um, company y, here’s what we need to do. How much is it gonna cost us? Now just to make that a little easier, we actually, um, value a lot of our customers’ feedback, um, from that perspective. And one of our customers asked, like, hey, do you actually have any data as far as, well, what’s the cost of improving a particular control? Right? So we’re actually in the process right now of going through our data to see if we can actually come up to a statistically viable, um, value for various control improvements, uh, from that perspective. So we’re trying to make that easier for you. Um, and ultimately at the end of the day, our goal for risk quantification is to make it easier, faster, and better for you. Right? And I and I firmly believe that being able to do that in an automated fashion, I do risk quantification in a mostly automated fashion, um, it is the route because it also uses your data. Right? So people tend organizations tend to, um, struggle to push back if they’re if they’re saying, look. This is our data. Um, so they can argue the data all they want, but then the results are what they are. Yep.

Toby:
So Chris asked, is there any data maintained that actually shows estimated calculated loss like fair versus actual losses?

Tim:
Uh, I’m sorry. Can you repeat that question?

Toby:
Yeah. Is there any data maintained that actually shows the estimated calculated loss e g fair versus actual losses? So guess your estimated, um, the calculating the estimated loss versus what the actual loss would be.

Tim:
Oh, yeah. So, um, I consider that back testing. So, yeah, within the platform, we actually do back test our model, um, and we actually have it, um, exposed within the platform so you can actually see, hey. Here’s here’s what the platform showed as the losses. Here’s what the, um, actual losses were. And then we also have a section in the platform specifically, um, taking it a step further is being able to say, well, what does this look like? How do I compare to my peers? Right? So we actually have peer analytics in there built in. So that way you can say, hey. Look. Here’s my organization. Here’s what this looks like. Um, what does other organizations that are similar to me in both either revenue or loss structure? Um, like, what what are their losses look like? And so where you can make that comparison because I know organizations sometimes get that, um, question as far as, well, what is my competitor doing?

Toby:
Yeah. What’s what’s the rest of the industry doing? Yeah.

Tim:
Yeah.

Toby:
Cool. Uh, Casey asked, are you seeing solutions such as yours beginning to open the door for CISOs to have a more eye opening conversation with their board of directors around cyber risk?

Tim:
Oh, yeah. A %, actually. Yeah. I mean, I’ve seen if if the CISO is not currently getting asked about what their risks are and what they’re gonna do about it, I’m seeing that happen more and more. Right? So if if you’re a CISO out there and you haven’t gotten asked yet, you’re very fortunate. Um, but gone are the days of just saying, hey. I need a million dollars to, uh, reduce our risk because because I need it versus now you’re saying, well, I actually need this because of x, y, and z. So, yeah, I am I am seeing that happen more often.

Toby:
So we’re go we’re going away from the gut feel of, like Mhmm. How much budget I need. Yep. So and apologies if I mispronounce this. EOS, uh, asked or made a statement. I think for the government agencies to do our queue from cost perspective, it’s hard. Um, I I don’t, uh, don’t that sorry. Sorry. I don’t think that’s how risk measured how risk is measured in agency. So, yeah, that’s interesting insight there in terms of kinda enterprise versus government.

Tim:
Yeah. So you’re you actually brought up in a very interesting topic. Right? So and that’s where, um, when you’re talking about measuring risk for even nonprofits, let alone gover like public entities like the government, um, you’re not talking about fines and judgments. Right? You’re not talking about the typical losses that in a private organization might have. Um, it’s it’s usually effect on your mission. Right? Well, how is this affecting mission? So, um, along those lines, because we’ve gotten a lot of those converse, like, a lot of those questions, we actually have a couple of different government, uh, governmental agencies, uh, that we are working with to actually help them, uh, to I’m gonna say more closely build a better model, but it really just helped answer those questions as far as from a risk quantification perspective, what are the things that are actually of importance from a government perspective and how do you express that, uh, leveraging the data? I mean, government agencies have data as well. It’s just when it comes from a losses perspective, that’s where it changes the conversation a little bit. So, uh, stay tuned on that one. We’re we’re we’re working on that one actively right now because of the importance of what we have found at least within the the federal space. Cool.

Toby:
Uh, last call for questions. Okay. Well, thanks everyone for attending. Really appreciate the, uh, the fantastic q and a session there. Um, if you do have any follow-up questions, like I said, know where to reach out to us. We’re happy to, uh, happy to respond. And, uh, again, thanks thanks for your time. We’ll, uh, we will be sharing the, uh, the slides for this, um, afterwards. So be on the lookout for that.

Tim:
Awesome. Thanks, everyone.

Toby:
Thanks, all. Appreciate your, uh, your attendance.