Jim is traveling home for Christmas and is looking forward to spending time with his family and friends. As he reflects on this past year, a big smile crosses his face. He has had a successful 2022 – a promotion to the position of CISO, greater visibility with senior management and a bigger mandate to build out the infosec function in 2023. He accredits a lot of his success to Balbix’s cyber risk quantification (CRQ) solution. In Jim’s words, “Balbix’s CRQ solution completely changed my career and my ability to manage cyber risk effectively”.
But, this wasn’t always the case. If we rewind 18 months or so Jim is stressed, frustrated and irritable. His frustration stems from the fact that his organization had made significant investments in various cyber security tools but he was still searching for answers to the following questions:
- What is my organization’s cyber risk exposure in monetary terms and how do I calculate it?
- What is the effectiveness of these security investments and how can I justify my cyber spend?
- Where do I prioritize remediation efforts to mitigate my biggest cyber risks faster?
- How do I effectively report the cyber risk exposure to senior management and the Board?
- How do I better partner with business risk owners to operationalize risk reduction?
And then Jim came across Balbix!
A couple of introductory conversations, a demo and a one week proof of value (POV) later Jim was convinced that Balbix and its capabilities would help resolve his pain points. Let’s dive deeper into Balbix and show you why it changed Jim’s career.
Pain point #1: What is my organization’s cyber risk exposure in monetary terms and how do I calculate it?
Balbix calculates the breach risk of the organization in monetary terms as the product of the likelihood of a breach occurring and the financial impact on the organization if the breach is successful. The breach risk assessment is performed in real time and continuously, thereby providing Jim with an up to date view of his organization’s breach risk in monetary terms. This risk calculation incorporates cybersecurity, IT and business context and therefore reflects the organization’s cybersecurity posture. The results are defensible and in line with real world expectations.
Pain point #2: What is the effectiveness of these security investments and how can I justify my cyber spend?
Organizations spend millions of dollars investing in cyber security tools that allegedly make the organization more secure. These tools no doubt do improve security posture but infosec teams struggle to estimate the effectiveness of these investments and justify their cyber spend. The inability to articulate this effectiveness could result in the budget being reduced and allocated to other areas in the business.
In Jim’s case, his organization had invested $250,000 in an endpoint detection and response (EDR) solution and he was keen to understand how effective this solution had been in protecting the organization with an eye on a renewal in two months’ time. Balbix with its advanced asset level breach risk calculation was able to assess the efficacy of deploying this specific EDR solution on an asset, group of assets and the overall enterprise. In particular, Balbix provided Jim with a pre- and post-implementation monetary risk assessment and the associated ROI. As we can see in the graph below, he was able to reduce his risk by $2.62M, an ROI of just over 10x. With this quantified risk view at hand, Jim was able to successfully negotiate with the procurement team and renew the subscription.
Pain point #3: Where do I prioritize remediation efforts to mitigate my biggest cyber risks faster?
Risk based prioritization is a key strength of the Balbix platform. The image below shows the level and detail of insights surfaced by the platform. In this case, we’re looking at all the servers in the environment and showing breach likelihood of 77% from unpatched vulnerabilities. The common vulnerabilities and exposures (CVEs) underlying the risk are listed below. The highest severity issues are CVEs linked to ransomware and malware with a severity rating of ‘Critical’.
Jim was able to use this information to prioritize which vulnerabilities to fix. He then used Balbix’s market leading CVE remediation and Patch Prioritization functionality to efficiently reduce his risk. He then reported on the risk reduction in monetary terms. The ability to do so has been a game changer for Jim and the risk owners.
Pain point #4: How do I effectively report the cyber risk exposure to senior management and the Board?
The Balbix platform allows security teams to interrogate a unified risk model in many different ways to present actionable insights to senior management and the Board. Balbix provides in excess of 25 pre-defined charts that enable multiple insights to be surfaced. Users can also easily create custom charts. Jim and his team created dashboards for each of his key stakeholders to effectively communicate key insights to them about cyber risk in relation to their business responsibilities. The picture below provides an example of this.
Pain point #5: How do I better partner with business risk owners to operationalize risk reduction?
Operationalizing CRQ can be challenging. This is usually because business risk owners have historically been tasked with managing cyber risk from a control and/or compliance perspective. Shifting the conversation to a risk based approach is a paradigm shift for many. To overcome this, CISOs and their team need to do three things:
- Introduce the concept of CRQ to business owners and educate them on the potential benefits of a quantified approach to cyber risk management.
- Provide each risk owner with an individual cyber risk exposure assessment along with key remediation measures that should be taken to reduce the risk to acceptable levels.
- Develop an engagement model with the business to drive continuous improvement.
If you can identify with any of the above pain points, please do get in touch with us and we would love to show you the power of Balbix’s CRQ solution.