Speaking at the Qualys Security Conference in San Diego, president and CEO Sumedh Thakar said so much time is spent on fixing vulnerabilities that not enough time is spent determining the risk to a business.

In his keynote titled ‘If everything is critical, nothing is’, Thakar said 99 percent of the people he talks to cannot talk about how much risk they have, and “the number of vulnerabilities that you have discovered via Qualys is not a measure of risk, and two million vulnerabilities doesn’t mean anything from a risk perspective.”

Identifying Different Scenarios

Saying risk is the "possibility that something could happen,” he said: “At a high level, that is what cybersecurity is about; identifying what are the different scenarios in which you can actually cause a meaningful loss to the business, and how much should I spend on the mitigation of it, and how much do I spend on the transfer of the risk?”

Admitting that no business is going to get to “zero risk” as no one can fix every vulnerability, Thakar said it is more about how to figure out which of those different scenarios are going to cause a financial loss for the company, and reduce the likelihood of a loss happening.

“That doesn't mean if your business is $200 million a year that you're going to lose all of the $200 million, the question is if there is an attack, if your system gets shut down or gets compromised or there's an attack, how much money is the business going to lose if that scenario happens?”

Business Impact

Thakar admitted that this level of risk is not a common CISO function, and asked the audience how many of them changed their provider after they notified about a potential compromise - to which no one responded. He said the business is more concerned about impact on them and their reputation, and more on the "non-availability of the banking system for a week, or the non-availability to conduct online business.”

He said: “It is about how you are able to work with the executive team and the business to understand what are the business entities that we care about.”

Looking at the state of cybersecurity today, Thakar said when he talks to people in risk management they say they “have all the tools, and everybody has a top ten dashboard.”

He said that the conversation with an executive team is often that the $500 million a year business unit has a potential loss of $10 million a day if a cyber-attack happens, and the risk score is 75 percent that something bad is going to happen.

“We want to have an acceptable risk level which is 20 percent and I want to be able to spend $500,000 specifically implementing these four controls which will then bring the probability of losing $10 million from 75 percent to 30 percent, and I want to spend another $50,000 on cyber insurance to take the rest of the 20 percent off. That's the conversation that needs to happen, which doesn't, that’s the reason why cyber guys are always back asking for more money.”

Focus on Fixing

Concluding, Thakar said the language of cybersecurity is still too focused on patches and threats, when only a few vulnerabilities are important, and CISOs need to take the noise and distil it into indicators of exposure. “How do we take all of the data that we have and stop what we are doing, which becomes a risk ‘whack-a-mole’ where we deal with ‘celebrity vulnerabilities’ where at the end of the day we did all this work and we look at what we got out of that,”

“We’ve got to stop doing this and take much more of an operational approach: here’s my assets, here's all the different risk factors, my threat intelligence, my business context and have a list of exposures that are really important and I need to operationalize.”

Thakar concluded by announcing the launch of its Risk Operations Center (ROC) and Enterprise TruRisk Management (ETM) which enables CISOs to manage cybersecurity risks in real time, and transform fragmented, siloed data into actionable insights that align cyber risk operations with business priorities.

This includes:

• Unified asset inventory
• Risk factors aggregation
• Threat intelligence
• Business context
• Risk prioritisation
• Risk response orchestration
• Compliance and executive reporting

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.