Couldn’t attend Transform 2022? View all summit sessions now in any of our libraries! See here.
When it comes to obtaining agreement from executive management and the board with the measurement of quantity cyber risk is important. Security leaders who cannot place a financial value on the level of risk in an environment may find it difficult to justify their spending on defense technologies.
The problem is that calculating risk is complicated. However, it provides solution providers such as cyber risk quantification Axiowhich today announced it has raised $23 million as part of a Series B investment round led by ISTARI, provides platforms to continuously measure risk and identify gaps.
Axio’s Axio360 solution provides organizations with a single source of truth in their overall cyber risk posture, providing cybersecurity assessments including industry frameworks and standards. NISTCSF, C2m2 and CIS 18, along with insurance stress testing for quantifying cyber risk and analyzing insurance policies.
This approach, and that of other cyber risk measurement providers, allows security leaders to better communicate the financial value of cyber risks in their environment, so they can understand which threats are most likely to harm the organization and help determine whether they are warranted. level cyber insurance coverage.
Adapting to cyber risk
As maintaining security and compliance becomes more complex as the threat landscape evolves, more enterprises are turning to quantifying cyber risks to adjust for exposure levels.
In fact, according to Gartner’s 2021 A Quantitative Study of Cyber Risks About 70% of SRM leaders planned to implement CRQ within the next two years.
At the heart of the challenge of mitigating cyber risk is a lack of alignment between security leaders and key executives in how they interpret the amount of risk in the enterprise.
“The Board of Directors, the C-suite, and the Security and Risk team are rarely aligned on key questions related to an organization’s cyber posture and overall performance. Axio manages this compliance and empowers leadership to make decisions, prioritize and optimize investments around cybersecurity,” said Scott Kannry, CEO of Axiom.
“When presenting to management, most of them CISOs Struggle to communicate effectively without using rudimentary heatmaps and scorecards trying to describe how their programs are performing and why certain control risk areas require more budget,” Kannry said.
The end result of this misunderstanding, Kannry explains, is that security leaders don’t have the resources they need to protect the business, and management doesn’t have the visibility they need to see which security investments are having the most impact.
Risk quantification solutions like Axio help streamline these communications by enabling CISOs to communicate risk from a financial perspective.
Let’s take a quick look at the risk quant market
The risk quantification market is a relatively new space, but the past year has seen a lot of investment activity. A few months ago, a cybersecurity posture automation provider Balbix It announced that it raised $70 million as part of its Series C funding round.
Balbix’s platform analyzes hundreds of billions of time-varying signals captured from the network, prioritizes vulnerabilities and offers users insights into risk, while providing a measure for the financial risk posed by vulnerabilities.
The organization also competes with providers such as Active Insurance Coalition, offers a real-time risk assessment to measure digital risk in real-time. The coalition raised $250 million financing just a month ago.
Although Kannri argues that the main difference between Axio and other competitors is that “we focus on impact and help the security leader understand what something is going to cost. We focus on protections that allow users to ‘show their work’ when asked by a board member.”
VentureBeat’s mission is to be a digital town square for technical decision makers to learn about transformative enterprise technology and operations. Learn more about membership.