Posted
Latest RQ 5.0 release introduces support for multiple security control frameworks and is the industry’s first product to prioritize common vulnerabilities and exposures (CVEs) by the financial risk they bring to the business.
Even with all the strife experienced in 2020, companies are accelerating their digital transformation initiatives. Believe it or not, most companies are planning to increase their security budget in 2021. Cybersecurity is a top of mind issue and it is propelling cybersecurity leaders to the front and center of executive agendas.
Business leaders are starting to understand the integral part that managing cyber risk plays in creating successful business outcomes. Security leaders now have a voice and a seat at the executive table. On the flip slide, the risk measurements that security teams use (tactical KPIs, indicators of compromise, and severity risk scores) don’t mean much to their business counterparts who need to understand risk in terms of business impacts and financial risk.
That’s why Risk Quantifier (RQ) is so important to enterprise organizations right now. The 5.0 update offers new ways for security teams to articulate cyber risk and better collaborate with their business counterparts.
In ThreatConnect RQ 5.0, we’re introducing 4 new capabilities. These capabilities include:
- Prioritizing CVEs by Financial Risk and Impact
- What If Analysis
- Multiple Control Framework Support
- Currency Support for Australian Dollar and Euros
Let’s dig into each.
Prioritizing CVEs by Financial Risk and Impact
Enterprise security teams deal with a constant avalanche of security alerts for vulnerabilities. They receive so many that it becomes difficult to know where to start. This is especially true when many alerts come in with high severity ratings. While CVSS scores can be helpful, they rate the severity of a threat, not the risk it poses to the business. Many times a severity rating of 10 for a vulnerability in one business isn’t always a 10 in another business. Relevancy and context matter when it comes to prioritizing what alerts to focus on first.
So, it isn’t surprising that when Ponemon Institute surveyed 3,000 IT professionals, 72% reported difficulty in prioritizing what needs to be patched. Perhaps even more troubling is that 60% of those surveyed indicated that breaches at their organization were linked to a vulnerability where a patch was available, but not applied.
RQ 5.0 provides an industry first by offering the ability to view and act on the vulnerabilities that represent the most financial risk and impact to the organization. In this way, you can prioritize CVE’s in context with the most financial risk they represent should an attack or exploit be successful.
This allows you to demonstrate how your vulnerability management programs directly relate to financial impact and risk.
What If Analysis
It’s a well-known fact that justifying new security investments or dealing with cutbacks of already scarce resources is a top pain point for security leaders. It’s not always easy to demonstrate a return on security investment, or how cuts in security spending can cause undue harm to the business. In fact, a recent SANS survey showed that 70% of IT professionals said they do not evaluate the effectiveness of security spending and are unable to justify investments.
What security leaders need to demonstrate is usually a long way off from the reality of what they can show. RQ 5.0 provides a sandbox environment that allows security teams to quickly model the impact of changes in their environment. Using this capability they can communicate how business decisions affect cyber risk and enable executives to better understand:
- Financial risks associated with budget changes before they make a decision
- Cyber risk associated with bringing new entities or applications into the business and the impact a successful attack could have on the business
- Know the potential financial impact of granting a security waiver for an application and how it influences cyber risk tolerance
Multiple Control Framework Support
It’s hard to benchmark your security controls against industry norms without having some way to measure your efforts. Businesses use multiple frameworks like NIST CSF and the CIS Top 20 to understand the maturity of their security controls relative to their peers and risk mitigation efforts. Now, security leaders can show their business counterparts solid numbers that uncover gaps in controls and prioritized recommendations based on the framework they use and the risk tolerance of their organization.
Currency Support
Finally, as we continue to build on RQ capabilities to support global organizations, we will be adding support to show financial risk results in all major currencies. Risk Quantifier 5.0 now includes support for:
- US Dollars
- Australian Dollars
- Pounds
- Euros
With RQ 5.0, businesses can get on the fast track toward better collaboration and communication of cyber risk across the organization. By breaking through the security jargon and transforming conversations to risk versus reward, security teams can:
- Prioritize response activities based upon their efficacy in reducing the risk of financial loss or operational impact
- Confidently apply security dollars for the greatest return on investment by seeing the risk you buy down
- Justify spending decisions by talking in terms that CISOs and board members will understand