QSC 2022 Kickoff: Quantifying and Qualifying Digital Cyber Risks

Qualys’ annual security conference returned to a live-only event this week at the Venetian Hotel in Las Vegas, and the keynote addresses started things off on a very practical note… about selling coconuts, toasters, and carbon monoxide detectors. The first two keynotes featured speeches from both Shark Tank celebrity businessman and CEO of Cyderes, Robert Herjavec, and Qualys’ President and CEO, Sumedh Thakar. Both spoke around the similar theme of qualifying and quantifying digital cyber risks.

Herjavec comes from a background of close to 40 years selling cybersecurity, starting with IBM 3270 emulator cards for PCs. He went on to sell multi-site Checkpoint firewalls and eventually sold two of his businesses to Nokia and AT&T before running his own managed security services company that operates six security operations centers and does close to a billion dollars in annual revenue. 

“Infosec is driven by two very distinct reasons and is a lot like having both carbon monoxide and smoke detectors in your home. The former is good for detecting threats, while the latter is something you must purchase, because of regulations,” he said during his talk. He mentioned the increasing regulatory environment in cybersecurity, including the proposal by the Securities and Exchange Commission to have a mandatory disclosure of any cyber breach within four days. “This presents a problem for many companies, who don’t even know they have been breached, since the average discovery time can be six months,” he said. “Security is moving towards becoming a risk-based business and the more successful companies are those that can quantify their risks.”

This brings us to Thakar’s keynote talk and coconuts and toasters. On a recent business trip to Mumbai, he came across a coconut seller on the street. What impressed our CEO was that the seller was displaying a QR code so that anyone with a connected smartphone could scan the code and purchase the fruit online. “He didn’t need to produce any paper receipts or fumble for change; he could just focus on his business. We have to think in that context about how we provide cybersecurity. It must be built into the business. We have to do a better job of being able to quantify cyber risks and figure out the metrics that can help tie risks to the financial impact on the business.” 

Certainly, cyber risk has changed dramatically in the last five years with the rise of the digital economy and with a little help from Covid and the transition to more remote workers. “Every business is a digital business, and has to leverage tech and interact with your customers based on that,” Thakar said. He mentioned how once upon a time when a banking customer opened a new account, they got a toaster. “Now it is all about whether I can take a selfie to open my account, not how much interest they are offering or whether or not I get a toaster. We need to focus on reducing risk for our customers by providing a single workflow from the discovery of a vulnerability to patching the problem.”  

Herjavec mentioned how his company went from working from five offices to more than 800 people working from their homes. “This in part, has contributed to ransomware being one of the biggest threats we have seen. Our guard is down because employees are working from home and are clicking on stuff they shouldn’t be clicking on.” Speaking about ransoms, “we used to always say not to pay them until we had a healthcare client that was shut down by ransomware and they ended up paying because the threat to their patients was too large. It made me think more carefully about what the role of technology was and the impact on their business. And at least they realized that they had to increase their cybersecurity efforts and now knew where the holes in their defenses were — and more importantly, now could quantify their risks.” 

“At the end of the day, we all have to talk in the language of money and what is important to the business,” said Thakar during his talk. “We must innovate and bring down the costs of risk mitigation. Boards of directors don’t want to hear about the next generation of security tools. Instead, they want to know if we can bring automation to help reduce risks and save their company’s money. If we can lower the risks of a collection of unpatched Chrome browsers through automation, that translates into direct cost savings and preventing potential threats to those systems. This changes the conversation to directly help the business.”