This week, Bitsight raised $250 million from Moodys and acquired cyber risk quantification company VisibleRisk. The move certainly makes sense for Bitsight, but what does it mean for the cyber risk quantification space at large?
Over the last few years, the conversation about cyber risk has been dominated by the security ratings companies like BitSight and SecurityScorecard. And they provide a valuable way for companies to rank risks in a defensible, clear manner. Yet there’s always been a fundamental need in the market that they have been, until now, unable to provide: Showing business and security leaders the financial impact of attacks on their enterprise, their partners, and third parties.
I’ve heard from our customers (and others in the industry) that ratings are helpful for evaluating companies but don’t convey the value or meaning of the risks in a way that the business can truly consume and use to make decisions. That meaning only comes from understanding cyber risk in financial terms.
That’s why, in my opinion, Bitsight’s acquisition of VisibleRisk makes so much sense. The acquisition enhances BitSight’s capabilities in the financial cyber quantification realm and it paints a clear picture toward the future of evaluating and managing cyber risk. That future is financial cyber risk quantification and it’s interesting that the Gartner Hype Cycle has CRQ right behind Security Ratings Services.
In the end, while I think this is a great acquisition for BitSight, the CRQ space, and companies in general, it’s only a step in the right direction. Quantifying a company’s risk in financial terms requires an inside-out view of the company — not just an outside-in view. I think BitSight and VisibleRisk (and Moody’s) see the value of knowing a company’s financial risk (especially when trying to factor in cyber risk to credit ratings) and this is a good first step in measuring that risk.
But our view is that to truly get that financial picture of the company you have to look at the company from the inside, not just the outside. We’ve designed ThreatConnect RQ to look at a company’s technical landscape — vulnerabilities, controls, and threats — to put together a picture of the financial exposure they face. That exposure is then evaluated to determine the best investments to make — based on ROI — to buy down risk in financial terms.
We’ve been building and evolving ThreatConnect RQ for more than four years now. Our philosophy is and has always been to provide an inside-out financial risk analysis and to prioritize security initiatives in financial terms. The rest of the market is now clearly moving in that direction and I’m excited about the future.
And we’re not done innovating at ThreatConnect. Keep a close watch on ThreatConnect RQ — we’ve got some big announcements coming in the next few weeks too.