Safe Security Buys RiskLens to Advance Cybersecurity Risk Management
Safe Security this week acquired RiskLens, a pioneer in the development of the Factor Analysis of Information Risk (FAIR) quantification standard for assessing cybersecurity risk.
FAIR provides a standard taxonomy and risk quantification model, overseen by The Open Group, that enables cybersecurity teams to express risk in financial terms business executives can more easily understand.
RiskLens CEO Nick Sanna, now president of Safe Security, will continue to lead the FAIR Institute, a nonprofit focused on advancing best practices for risk quantification. The overall goal is to make it simpler for cybersecurity teams to share risk assessments in a way that anyone can easily understand. In fact, as that approach continues to evolve, cybersecurity, governance, risk and compliance management tasks will increasingly converge, he noted.
Safe Security CEO Saket Modi said the acquisition of RiskLens will result in the FAIR model being embedded into an automation platform that employs artificial intelligence (AI) models, developed in collaboration with the Massachusetts Institute of Technology (MIT), to evaluate cybersecurity risks via integrations with more than 50 platforms.
The company also recently added a generative AI chat interface to make accessing the large language models (LLMs) on which the company’s platform is based more accessible to end users, regardless of their level of cybersecurity knowledge, via a natural language interface, noted Modi.
As the conversation between cybersecurity teams and the rest of an organization continues to mature, there is now a lot more focus on risk, noted Modi. Business leaders are aware that IT platforms are being attacked, but they need to be able to make informed decisions about how to prioritize resources based on the level of risk to the business those threats actually represent, said Modi.
Today, too many of those decisions are based on gut instinct and outdated understanding of security threats rather than actual facts, he added.
That shift is fundamentally changing the role cybersecurity professionals play within those organizations as the focus shifts from how to manage security operations and instead to minimizing the financial impact of a potential breach, he added.
At the same time, new rules being proposed by the Securities and Exchange Commission (SEC) along with requirements being put in place by cyberinsurance providers are focused on the same financial concerns, said Modi.
It’s not clear how quickly cybersecurity professionals are developing the acumen required to have a meaningful conversation with business executives, but Modi noted that expecting business executives to acquire cybersecurity expertise isn’t plausible. If there is to be a conversation, it needs to be in terms the business understands and appreciates.
Regardless of how those conversations are started, the expectation is that cybersecurity leaders will be able to convey realistic assessments of risks to a business based on the severity of the threat and the actual value of the data that might be at risk. The challenge, of course, is surfacing those risks in an era where changes to IT environments are made multiple times a day.
