Skip to main content
Introducing Polarity Intel Edition: Streamlining Intel Distribution for SecOps
Polarity Intel Edition
Request a Demo

Bitsight’s Acquisition of VisibleRisk: A View From The CRQ World

This week, Bitsight raised $250 million from Moodys and acquired cyber risk quantification company VisibleRisk. The move certainly makes sense for Bitsight, but what does it mean for the cyber risk quantification space at large?

Over the last few years, the conversation about cyber risk has been dominated by the security ratings companies like BitSight and SecurityScorecard. And they provide a valuable way for companies to rank risks in a defensible, clear manner. Yet there’s always been a fundamental need in the market that they have been, until now, unable to provide: Showing business and security leaders the financial impact of attacks on their enterprise, their partners, and third parties.

I’ve heard from our customers (and others in the industry) that ratings are helpful for evaluating companies but don’t convey the value or meaning of the risks in a way that the business can truly consume and use to make decisions. That meaning only comes from understanding cyber risk in financial terms.

That’s why, in my opinion, Bitsight’s acquisition of VisibleRisk makes so much sense. The acquisition enhances BitSight’s capabilities in the financial cyber quantification realm and it paints a clear picture toward the future of evaluating and managing cyber risk. That future is financial cyber risk quantification and it’s interesting that the Gartner Hype Cycle has CRQ right behind Security Ratings Services.

In the end, while I think this is a great acquisition for BitSight, the CRQ space, and companies in general, it’s only a step in the right direction. Quantifying a company’s risk in financial terms requires an inside-out view of the company — not just an outside-in view. I think BitSight and VisibleRisk (and Moody’s) see the value of knowing a company’s financial risk (especially when trying to factor in cyber risk to credit ratings) and this is a good first step in measuring that risk.

But our view is that to truly get that financial picture of the company you have to look at the company from the inside, not just the outside. We’ve designed ThreatConnect RQ to look at a company’s technical landscape — vulnerabilities, controls, and threats — to put together a picture of the financial exposure they face. That exposure is then evaluated to determine the best investments to make — based on ROI — to buy down risk in financial terms.

We’ve been building and evolving ThreatConnect RQ for more than four years now. Our philosophy is and has always been to provide an inside-out financial risk analysis and to prioritize security initiatives in financial terms. The rest of the market is now clearly moving in that direction and I’m excited about the future.

And we’re not done innovating at ThreatConnect. Keep a close watch on ThreatConnect RQ — we’ve got some big announcements coming in the next few weeks too.

About the Author

Jerry Caponera

Jerry Caponera is VP Cyber Risk Strategy at ThreatConnect, and leads the effort to quantify cyber risk in financial terms. He’s been working on cyber risk quantification efforts for a number of years and has a broad background in cyber, having worked for incident response, malware analysis, and services companies. He has spoken at a number of conferences worldwide including ISS World MEA, InfoSecurity Russia, and TM World Forum. He holds an MBA from the University of Massachusetts, an MS in Computer Science from the University of Pennsylvania, and a BS in Electrical Engineering from the University of Buffalo.