The IT security industry has a surplus of data. But linking threat landscape noise to the risks organisations face every day remains a challenge.

So too does putting a monetary value on that enterprise risk.

None the less, converting lists of CVEs or any of the myriad other data sources coming into security operations centres (SOCs) into some form of cost is essential, argues Qualys CEO Sumedh Thakar.

“Being able to align quantification to some form of dollar value, pound value, is something that is becoming more and more important,” he says.

“It is a journey of maturity.

"The industry is starting down that route now. A lot of times people may not necessarily know that exact value at risk, but they might be able to leverage the intrinsic value of the business as a proxy to value at risk.”

The challenge is that businesses, and their security teams, have access to plenty of data about threats and vulnerabilities; Qualys is one vendor feeding data to security teams.

But whilst much of that threat information might be common, the way it impacts any one individual organisation varies widely.

“At the end of the day,” says Thakar, “exploitation of one vulnerability and the loss it could cause for one company could be completely different than it is for another other company.

“And so some CISOs have struggled to have conversations with the board because they go and report CVE counts and stuff like that, which means nothing to the board. The board wants to speak the language of business, business risk, business loss.”

Qualys’ risk management tool, the Enterprise TruRisk Management Platform, is about “putting some hard numbers” on that risk and potential loss, he suggests.

Gold stars?

Thakar, who became CEO in 2021, is a long-term Qualys employee. He joined soon after the company was founded, in 2003, and went on to be chief product officer and then president. During that time he has witnessed significant changes in the threats organisations face, and also how they approach security.

“We were in an era where 21 years ago, a gold star customer for us would be somebody who would scan that network once a quarter, and then they would ask their team to take 90 days to fix all the findings, and that was more than enough,” he says.

Since then, both the technology and security landscapes has changed dramatically.

“Digitisation of everything just means simply more assets and more software, and the basic physics of that is more software means more vulnerabilities,” says Thakar. 

“Digitisation also means that the value at risk for a customer, the value of what their business has, has shifted more online. Attackers are more incentivised now to go after digital infrastructure than they were a few years ago.” 

And that is changing how security teams have to work. Today, a customer might scan their network every four hours, and still worry that it is not frequent enough.

 “The problem is that if you're not fixing anything quickly, what's the point? It's like weighing yourself four times a day without going to the gym.”

That fix demands some serious conversations between CISOs and the business around risk. But it is also changing the way security teams are handling information, and acting on it. 

Celebrity vulnerabilities

Cybersecurity resources are not unlimited, and as Thakar argues, wasting resources going after CVEs that might have only a limited impact on the business is almost as bad as ignoring those threats that do.

“There is this concept of celebrity vulnerabilities,” he says. “Not only do you have all these thousands of vulnerabilities coming out, but then whenever there is a ‘celebrity’ vulnerability that comes out that's named, that’s in the news, people jump into what I call a risk whack-a-mole [mode]. Now, you drop everything else, and you're just going after that just because it's in the news.”

The industry, Thakar says, has too many findings and too many vulnerabilities, and it is impossible to address them all. Instead, there needs to be a way to prioritise the threats security teams go after. “While there are tonnes and tonnes of CVEs coming out, very few actually have a real way of being exploited,” he notes.

That filtering, prioritisation, and tying threats to business risk is behind a move from security operations centres, or SOCs, to risk operations centres, or ROCs.

The Risk Operations Centre

The ROC is not a concept that is unique to Qualys, however. Thakar stresses that much of its benefits come from being able to combine multiple data sources and platforms into a single tool, adding the business context, and ultimately, putting a price on risk.

“If there is a loss of PII, how much would we lose? If there is a reputational damage, how much would we lose? It’s putting some of those numbers down,” he says.

For security teams, too, that business context means change. They need to move from “wartime cybersecurity, which is attackers in the environment”, to a more resilient business and one that is not wasting precious IT resources fixing issues that are not aligned to that business risk.

“A risk operation centre is a peacetime effort. You are basically proactively looking at your defence,” says Thakar.

“Whether they use Qualys or not, I think a movement towards a risk operations centre is going to be very important. It’s being a partner to the business rather than just being a ‘no’ person all the time.”

Published in partnership with Qualys

The link has been copied!