RiskLens, Axio Lead Cyber Risk Quantification Forrester WaveThreatConnect Earns High Marks as CRQ Helps CISOs Prove Return on Cyber Investment
Recently acquired RiskLens edged out startup Axio and incumbent ThreatConnect for the top spot in Forrester's first-ever cyber risk quantification rankings.
Cyber risk quantification focused on theoretical methodology for almost 10 years, but over the past half-decade it has shifted to practical applications as CISOs face increasing pressure to demonstrate the value of their security investments, said Forrester Senior Analyst Cody Scott. Acquisitions that bring cyber risk quantification into broad threat intelligence platforms make the business model more viable, Scott said (see: Safe Security Buys Cyber Risk Quantification Vendor RiskLens).
"This is one of the fastest-growing markets in terms of client mindshare and industry interest right now," Scott told Information Security Media Group. "A lot of key players have started to stand out for showing that CRQ is not only a viable business model but that it has positive results for their clients."
Cyber risk quantification was historically more compliance-led and focused on helping companies report on status rather than assisting in the decision-making process, Scott said. But thanks to tight integrations with asset management and vulnerability management capabilities, providers today can use predictive analytics to generate the loss expectancy associated with exploitation of specific security vulnerabilities.
"CRQ is fundamentally changing the way organizations think about their risk management and the utility they get from their risk management program," Scott said.
Forrester rated RiskLens' strategy around cyber risk quantification as the best, and Axio, ThreatConnect and Balbix received the second-, third- and fourth-highest scores in the strategy category, respectively. In terms of strength of current offering, ThreatConnect edged out RiskLens for the highest score, and Axio, KPMG and Balbix earned the third-, fourth- and fifth-highest rankings from Forrester, respectively.
The most successful cyber risk quantification providers can model risk scenarios and break them down into specific variables as well as take data from a bunch of disparate tools and conduct automated calculations for customers, Scott said. Cyber risk quantification tools must track where third-party data comes from and be able to model different types of ransomware attacks to address executive concerns.
"CRQ is fundamentally changing the way organizations think about their risk management."
– Cody Scott, senior analyst, Forrester
Going forward, Scott expects cyber risk consulting services firms will take a more product-led approach to cyber risk quantification while governance, risk and compliance, attack surface management and risk rating companies enter the arena for the first time. Added cyber risk quantification features will make GRC firms less compliance-centric and allow ASM and risk ratings firms to leverage data already collected.
"The end-user need is still for a product that they can use on their own without the ongoing support or engagement of professional services to maintain it," Scott said.
Outside of the leaders, here's how Forrester sees the cyber risk quantification market:
- Strong Performers: Balbix, Mastercard, KPMG
- Contender: X-Analytics
- Challenger: Deloitte
How the Cyber Risk Quantification Leaders Climbed Their Way to the Top
RiskLens Helps Firms Assess Risk in Granular, Aggregated Fashion
RiskLens has rolled out tools for large enterprise customers that allow them to benefit at scale. One example is a portfolio management feature that allows companies to view top cyber risks by business unit or division as well as across their whole enterprise, said Safe Security President Nick Sanna. Previously, global enterprises couldn't assess risk in both a granular and aggregated fashion and got only siloed views of risk.
The company also invested in connecting control measurement standards with risk in an automated fashion to help organizations determine the consequences of controls being misconfigured and how that translates into risk. Customers previously depended on analysts to represent the state of their controls, which Sanna said introduced a degree of subjectivity since analysts interpreted what the tools found (see: Safe Security Raises $50M to Bring ML to Risk Quantification).
"The machine does the heavy lifting," Sanna told Information Security Media Group. "The machine can now automatically identify the risks, calculate the risks and provide visibility with dashboards on the risk on a continuous basis. We haven't seen these other players provide that level of automation across all these phases with a breadth and scope that Safe and RiskLens provide."
Forrester chided RiskLens for its slowness in adopting automated methods for collecting risk input data and a pricing model and cost that' are a tough sell to executives. Sanna said becoming part of Safe Security will give RiskLens a stronger level of automated input into risk assessments and analysis as well as a simpler and more integrated pricing model.
"I think all the weaknesses that were highlighted actually are very well-addressed by the combination with Safe," Sanna said. "Safe dramatically accelerates the road map that we had at RiskLens by years."
Axio's New Starter Scenarios Address Sector-Specific Threats
Axio has redesigned its product over the past year to simplify onboarding and usage by creating starter scenarios that address generalized threats such as ransomware and data breaches as well as sector-specific challenges in healthcare, utilities and critical infrastructure, said Chief Product Officer Nicole Sundin. Organizations can achieve fidelity in five to eight scenarios in less than 15 minutes, according to Sundin.
The company also has invested in control and reporting initiatives to help organizations map regulatory controls to their risk environment and drive more adoption and rapid time-to-value for implementation of the Axio technology, Sundin said. This includes providing visibility into how PAM, MFA and EDR tools can reduce risk for specific organizations as well as what-if analysis and reporting for board members (see: Re-Defining Banking's Unique Cyber Risk).
"Our methodology is much more impact-focused," Axio co-founder and President David White told Information Security Media Group. "Our platform enables you to do very transparent and straightforward modeling of impact in 47 standard impact categories, and you can add additional impact categories as you see the need."
Forrester criticized Axio for weak native third-party integrations to automatically source risk data inputs as well as subpar threat modeling and visuals for nontechnical audiences in their native reports. Sundin said Axio recently added five to seven new automation-focused integrations, is working on a new reporting engine and will provide more features to nontechnical audiences over the next three years.
"We also want to pull in these red teams that want to be a part of this CRQ process but right now feel like they are not included," Sundin said.
ThreatConnect Aims to Remove Subjectivity From Risk Evaluation
ThreatConnect has doubled down on applying machine learning to financial quantification at scale to remove subjectivity and increase defensibility at speed and scale, said Risk Quantification General Manager Jerry Caponera. Being more data-driven has allowed ThreatConnect to provide mathematical evidence of objective findings and more detailed answers while maintaining simplicity, Caponera said.
The company can also apply the same technologies to automate the FAIR methodology, giving clients recommendations about actions they can take to remediate risk, as well as the cost associated with each, Caponera said. This allows customers to more easily trace the money spent on risk mitigation in various parts of their ecosystem and the amount of risk actually mitigated, making ROI easier to track (see: A Fresh Look at Security Analytics).
"We built CRQ to help organizations prioritize where they spend their investments in cyber based on financial risk," Caponera told Information Security Media Group. "What we said is, 'Look, we're not spending dollars on security in an efficient way.' We wanted to help prioritize where that company should be spending."
Forrester hit ThreatConnect for lacking external benchmarks, limitations with CVSS-based vulnerability scoring and a more tactically focused vision. Caponera said generic benchmarks don't mean much given the limited information organization produce when breached. ThreatConnect opts to partner for technical rankings of vulnerability severity and exploitability so that it can focus on the dollar loss related to exploitation.
"Our approach is not tactical versus strategic," Caponera said. "It's technical in that we want to get to the root cause of why. When you know the root cause of why an attacker can get in and do what they can do, only then can you actually build either a defensive strategy or a mitigation strategy that protects against the right things."