Cybersecurity Must De-Risk the Business
The Catalyst for My Return to Qualys
“Necessity is the mother of all invention.” – Plato
Introduction
Cybersecurity as a problem and practice is evolving. This evolution is driven by business risk. Does this sound obvious? For far too long, we in security have put the technology cart way ahead of the business horse. Now, financial headwinds and rapid innovation are forcing change. We need a new approach to security that focuses on what matters most.
My perspectives on risk evolved. I started as a security builder. I’ve also been a CISO and a co-founder. Most recently, I was a cyber insurance exec – working on the intersection of risk mitigation and risk transfer to insurance. Along the way, I’ve written a couple security books: How To Measure Anything In Cybersecurity Risk and The Metrics Manifesto – Confronting Security With Data.
What I’ve learned is that you can’t (and shouldn’t) do everything. Your business is likely telling you that now. Why? Profits are back in style. With a generational change in interest rates, organizations are trimming the operational fat.
You also can’t keep up by doing things the old way. Cloud-native innovation and the rise of AI are scaling defenders (the business) and offenders (the bad guys). We are caught in the middle. We can no longer operate to “make the business secure against all possible threats.” We must evolve into “de-risking the business so it can win.”
Fortunately, there is a new way. Sumedh, Qualys’ CEO, recently shared his strategy with me. Of course, his strategy has become a digital reality – far beyond what I could imagine in practice or in my writings. I share my distilled thoughts on the vision below.
Why Security Strategy Must Be Business Focused
The modern goal of cybersecurity is de-risking the business. The objective (or purpose) is enabling the business to win.
While defeating our “digital adversaries” is crucially important, it’s a meta outcome. If we lose sight of our business de-risking goal, we stop producing value the business recognizes and supports. That value is the elimination of risk that blocks the organization from succeeding in its mission or purpose.
What combination of assets, threats, and vulnerabilities are most likely to disrupt services and lead to frustrated customers (churn), regulatory impact (fines), and or loss of revenue? What best eliminates (mitigates or remediates) those risks with minimal operational impact?
The Principles Of Efficient Cybersecurity Risk Management
We place de-risking security activity into three principled categories. They build on each other. When operationalized, they efficiently:
- Measure cybersecurity risk across every attack surface
- Communicate cybersecurity risk in terms of business value
- Eliminate cybersecurity risk with confidence
How do you do this? How do you measure, communicate, and eliminate risk at scale? You need a platform – one that is expressive and powerful.
How Cybersecurity Risk Management Achieves Scale
I worked for Qualys eighteen years ago, which makes me a true boomerang. Back then, Qualys was the leading SaaS vulnerability management platform. Today, it’s evolved into a profitable and innovative public company.
At the end of 2023, Qualys announced a new platform strategy that revolved around the concept of true risk (TruRisk). The TruRisk strategy and platform executes the principles of: Measure, Communicate, and Eliminate. As stated, each works together to continuously de-risk the business in a way stakeholders can get behind.
These principles motivate me and are one of the reasons I’m back at Qualys. (Plus, I get to work with a great team.)
Measure: From a TruRisk perspective, it means integrating and quantifying rich dimensions of asset value, threat intelligence, vulnerability state, and business impact – including monetary values. Think of TruRisk measurement as an AI-enabled risk engine. It’s backed by Qualys’ petabyte scale security data lake and a streaming platform parsing trillions of events.
Data democratization also plays a significant role in this part of the strategy. The platform is opening up to ingest risk data across the security ecosystem., a departure from single-sourced security data.
Communicate: From a TruRisk perspective, it means transforming raw security telemetry (from many vendors) into something meaningful to practitioners and executive stakeholders. At the heart of this is the TruRisk scoring system, an index based on underlying operational reality. Good risk scores correlate directly to the underlying operational state. Scores must apply equally well to a single risk and aggregated risks across multiple assets with data sourced from multiple vendors.
Key to communication is the ability to easily query, analyze, and alert on the risks you care about – by anyone in the business.
| I’ve witnessed, time and again, that few leaders can discuss a risk-based approach in practice. That’s why I’m particularly excited about Qualys’ TruRisk vision. It provides a practical (and unified) approach for communicating about risk for the vast majority of organizations and their stakeholders. |
Eliminate: Rests on the shoulders of “measure” and “communicate” and decomposes into two automated actions: Remediate and Mitigate. Remediate includes various forms of automated patching across hybrid environments. Mitigate applies when patches are not available.
The challenge with taking automated actions is business disruption. This is where the measurement and communication capabilities optimize actions. AI capabilities can learn across the Qualys platform – globally and locally – to help you optimize elimination policy and minimize errors.
Wrapping Up
My mission as Chief Risk Technology Officer is to help Qualys’ customers and the broader security community measure, communicate, and eliminate true risk. Look for more blogs and webinars from me on strategy and best practices and feel free to reach out and connect with me on LinkedIn.