Interview: Safe Security’s Co-Founder And CEO Talks Cyber Risk Quantification And Improving Business Communication
Expert Insights interviews Saket Modi, CEO and Co-Founder of Safe Security, to discuss the importance of cyber risk quantification.
The threat landscape is expanding rapidly and security professionals are struggling to keep up. For CISOs and security teams, the ever-evolving data breach attempts, malware variants, ransomware, and zero-day exploits must seem like a beast that can’t be beaten.
Cyber risk management practices today are flawed – they are siloed, reactive, and lack a business perspective. Organizations, especially those who are highly dependent upon their information technology (IT) networks for their business operations, are in need of specialized support to help close the gaps in their dependence and optimize their business practices.
With so many different cyber threats testing your resilience at once, it can be difficult to work out where to focus your cybersecurity effort for the best overall improvements. Cyber risk quantification (CRQ) is a tool used to better understand and evaluate key risk scenarios to better inform business decisions.
As well as helping to protect your data against compromise, cyber risk quantification also has a financial benefit: findings suggest that companies who do not have a cyber risk quantification solution are sitting at a risk of $5.4 million for an average data breach, while if you do have a cyber risk quantification solution, the average is $3.3 million for a breach. This means that using a framework to better manage your cyber risk can not only reduce the likelihood of a breach, but also the impact of a breach.
We spoke to Saket Modi, Co-Founder and CEO of Safe Security, to get his insights on today’s most pressing cyber security challenges, the problem with how cybersecurity risk has been measured historically, and the ways in which SAFE’s recommendation engine—using data-driven insights to prioritize risk—allows organizations to make informed decisions on whether to accept, mitigate, or transfer cyber risk.
Could you please introduce yourself and tell us about Safe Security and what unique capabilities it offers?
My name is Saket Modi, I’m the Co-Founder and CEO of Safe Security. Our SAFE platform is a cybersecurity and digital business risk quantification and management solution.
We at Safe Security think cybersecurity is fundamentally broken for three reasons. First, it’s extremely siloed, so products don’t talk to each other. You can have a different dashboard for EDR, for identity, for GRC, for phishing, for third party, etc. And there are, on average, between 25 to 75 dashboards in a Fortune 2000 company today, all of which are very isolated.
The second problem is, most of cybersecurity risk analytics is reactive; if you go to a SOC or an SIEM solution, it looks at your logs and events and converts that into an incident. But you only figure out that there is an incident after it has occurred. There is nothing telling you the probability of that incident to occur.
The third and final problem, which in my mind is actually the biggest problem, is that cybersecurity products don’t talk the language of business. So, when a cybersecurity product indicates that X amount of people don’t have two-factor authentication, the question of “So what?” (from a business leader, a CFO, a CEO, the board of a company) is often not answered.
These three problems are what we are solving using our SaaS platform. We come into your organization and we take API feeds from your existing scanners and, based on that signal, we can give you a recommendation to buy a vulnerability scanner or buy an identity solution. We also map all of those feeds to the MITRE ATT&CK Framework to normalize those signals. Because a vulnerability feed is very different to a malware feed. We normalize them using the MITRE ATT&CK framework, which we are one of the contributors to, and we put that together into a data analytics framework that we’ve co-developed with MIT.
We’ve been working with MIT for almost four years now, and we developed this thing called a Bayesian network-based risk prediction engine. This allows us to predict ransomware for you; we can say, ”You’re sitting at a 11% probability of a ransomware attack, while the industry average is 8%,” and that prediction is based on the signals that we read from CrowdStrike, from threat intelligence data, your business context, your leaked credentials etc. We take all that data and give you the probability of a breach and the top 10 actions to be taken to reduce the potential for a breach. So, that’s the way we are solving the second problem, we are going from reactive to proactive and predictive.
Lastly, we don’t just tell you you’re at 12% likelihood of ransomware breach, we also tell you—based on the probability in the next 12 months—your estimated dollar value impact if ransomware were to occur. Now, that is a language that a CFO or CEO understands.
Who is your typical customer base, and what are the main challenges you are helping them to solve?
We have some of the largest brands on the planet today using our product, live as we speak, but we are a young company.
Because of this, we are laser focused on four verticals at the moment: financial services, healthcare, retail, and service providers. These four verticals include 70-80% of our customers, although there are some others also.
The value that we deliver can be boiled down into four crisp points. First, we help you to quantifiably understand and measurably improve your cyber risk posture. Second, we help you achieve unified, comprehensive, and real time visibility into cyber risk. Third, we help you to communicate cyber and business risk consistently across the enterprise.
Consistency is very important. Today, in most large companies if you were to ask a board member, “How well do you think your cyber risk is taken care of?” and then ask the same question of the CEO, CFO, CIO, CISO, the chief risk officer, the auditors, and the cyber insurance underwriters—you would get a different answer from each one of them. Because there’s no consistent communication. But if you asked all of them, “How well did the company perform last year?”, you will get a consistent answer. They will know their targets, what they did to reach them, what they missed and what they managed to hit. At Safe Security, we enable consistency. For example, an output from our product is a board report; CISOs use our product to generate their board reports, and that becomes a very important artefact.
And fourth—which in my view is the most important point—we help you protect your revenue, reputation, and growth.
The Safe Security website talks about how cyber security has always been measured in subjective silos. Could you expand on this, and explain why this approach is no longer enough?
If you think about how cybersecurity risk has been measured historically, there were always subjective risk matrices. Tony Cox of MIT did an interesting piece of research about 25 years back which showed that subjective risk matrices are not only inaccurate, but are detrimental to the information that they’re conveying.
The problem with those subjective risk metrics is you take real data—like how many vulnerabilities there are, how many endpoints are not patched, how many people clicked on a phishing link, etc.—and then you assign then the label high risk, medium risk, low risk. You then marry one high risk with one low risk and expect to reach medium risk, but that’s now how data science works. You can’t marry one amber with one green with one red, and then magically the output is an orange. And that is the fundamental problem of subjective risk matrices.
We are under the umbrella of cyber risk quantification, but I don’t like that word. I think the phrase “cyber risk quantification for better cyber risk management” is a much better fit. What that means is, we do cyber risk quantification for better management. That is the core of what we are trying to do; everything quantitative.
So how do we quantify? We use things like Bayesian network. So, we do give scores, but our “score” is simply a multiplication of the probability of a breach. There’s a lot of data science of statistical modelling and probabilistic modelling, which is already out there. And we use those data science techniques (i.e., Bayesian Networks, Monte Carlo Simulation, logarithm of the odds ratio etc.) to come out with what we have.
How important is it to assess, prioritize and manage enterprise cyber risk? What are the benefits of doing this in real-time?
The benefits vary between different personas. These personas include the risk owners, the risk showers, and the risk fixers.
The risk owners are the CIOs and the CEOs; they are the ones who own the risk, because they own the application or the technology. The risk showers are the CISOs and the chief risk officers, because their job is to show the risk; they don’t own the risk because they don’t own the tech stack. And the risk fixers are your IT ops, DevOps, cloud ops etc. (i.e., the people who actually fix the issues). And each one of these benefits differently.
For the risk owners, the biggest benefit is the ability to quantifiably understand and measurably improve. Measurable improvement is important because, as of now, most CIOs and CEOs do not have a consistent metric that they can hold their security teams accountable for and oversee progress. Another benefit for the CIO and the CEO is we’re protecting the revenue.
For risk showers, the number one value that we provide is we save their jobs. We enable CISOs and chief risk officers is to communicate with the board and set the expectations for residual risk. We also help CISO’s to increase their budgets by facilitating conversations around what risks there are, what needs to be improved, how to create the improvements etc. We also let them display an accurate picture of where things are to illustrate the improvements they create in a measurable way.
Risk fixers have a very underappreciated job. When things go off without a hitch that often isn’t recognized, and there is typically no way for individuals or teams to accurately show their positive contributions. We can see a list of all the things they patched, but not what affect these actions had on overall risk. Giving insight into actionable improvements is like a reward, and people feel better knowing they have contributed positively.
These are the main positive business outcomes for the three personas.
SAFE quantifies prioritized areas for improvement; which areas are organizations most commonly falling short on? Why do you think this is?
The simplest answer I could give you is that organizations are most often falling short on the basics and their overall cyber hygiene.
A more complex answer is that organizations have a lot of controls, and we look at controls in three dimensions; the breadth of the controls, the depth of the controls, and the fidelity of the controls. Let’s take EDR as an example. You may have an EDR, but perhaps it is only deployed on 30% of your systems—that’s the breadth, and we recommend that you reach the right breadth.
As for depth, you may have an EDR in place, but have not enabled the APT module. And guess what? A lot of APT attacks are happening at companies of your industry, size and geography. We never recommend a vendor, we will only recommend the capabilities you should expect of your EDR vendor.
Lastly, there is fidelity. You may have CrowdStrike deployed across the entire organization and have bought every available module, but with all these insights that CrowdStrike is providing, there is nobody to act on them. Nobody is monitoring, it doesn’t connect to the SIEM or the SOC, it doesn’t connect to SAFE. Well, that’s a fidelity problem.
These are the three things that we look at for any given control. And we see issues across all the three. And unfortunately, most security procurement is happening because a sales guy was persuasive or because an analyst told you what the next big thing was, when it should be based on what you require—based on quantifiable proof—given your internal controls, given the external threat landscape, and given your business context.
It’s almost like saying, “I will take medicines based on whatever was the best commercial I saw.” But that’s not a good reason to take a certain medicine. You should take medicine because you are unwell, and the medicine is designed to help—this is the context of a problem and your actions to solve it.
Most security decisions are not happening based on the organization’s specific problems; they are being made based on what’s popular. At Safe Security, we help you to see your problems in a quantifiable and actionable way, to really tackle them.
What would your final piece of advice be to organizations who are not evaluating their status of risk exposure to cyber threats?
You will be hacked.
One of my key investors, John Chambers, very famously said, “There are only two companies out there; one who knows that they’ve been hacked and the other who doesn’t.” I don’t think people should be worried by the statement that you will be hacked. The worrisome thing is having to prove to SCC that you are managing the risk to the best of your capacity.
That’s not an easy thing to prove, but it is made much easier with an actionable report covering risk exposure and displaying that in dollar terms. This is our SAFE score.
I don’t think getting hacked is a problem. When I say “You will be hacked,” I don’t say that to scare people, because I think most CISOs know they will get hacked. But what happens after the hack?
Thank you to Saket Modi for taking part in this interview. You can find out more about SAFE Security’s cyber risk quantification platform via their website.
Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.