Medical Insurance Provider
40 Independent Operating Companies
Healthcare Cyber Risk: The healthcare company was unable to consistently measure cyber risk across its member companies, and had difficulty accurately showing the potential financial impact of a successful attack. They also were challenged by subjective project prioritization that did not use risk impact analysis to drive decisions.
The project centered on achieving an aggregate view of the greatest financial cyber risks across all 40 member companies so the Chief Information Security Officer could effectively prioritize resources and have impactful monetary discussions with the Board.
The CISO also wanted to give each member company a snapshot of their greatest financial risks.
ThreatConnect Risk Quantifier (RQ) provided the client the ability to objectively look at risk as a portfolio, across all of their member companies and prioritize resources by return-on-investment to buy down the most risk. RQ’s automated approach to cyber risk quantification for short time-to-value was critical to making CRQ a reality for this small team.
By leveraging ThreatConnect RQ, the CISO of the parent company now has a window of insight into the risk posture of dozens of independent operating companies and can rank them accordingly. The CISO is also using RQ to understand which company is doing well and which isn’t to help for awareness and to prioritize where to focus resources. By enabling each independent company to visualize their greatest financial risks, the CISO was able to lead data-driven discussions with the Board of Directors.
By deploying ThreatConnect RQ, the client was able to:
- Justify spend and security investments across an enterprise portfolio company
- Compare and contrast investments and initiatives to risk reduction
- If I spend “X” will I get “Y”? Is it worth it?
- Prioritize which investments you make, when, where and how
- Determine and track critical assets
- Help organizations identify (and quantify) what their critical assets are, and track them:
- Apps that house critical Pxi data (PCI, PHI, PII) and data records
- Apps critical to business operations (revenue generation)
- Holding something of financial value (Intellectual Property)
- Prioritize vulnerabilities by financial impact
- Understand the financial impact of Common Vulnerabilities & Exposures (CVEs) contribute to the business