Julian Waits, CEOBusinesses across every sector around the world know that cyber risks are real. Yet, in spite of increasing investments in cyber defenses, major breaches make headlines with great regularity and cost companies millions of dollars annually. Faced with more need than budget, CIOs and CISOs are challenged to select and prioritize the projects that will provide the greatest value to their organizations. According to Julian Waits, a cyber security expert and CEO of PivotPoint Risk Analytics, “There are three key questions that every CIO is challenged with—how much money could my business lose to cyber-attacks over the next year; how well have the past cyber investments we’ve made protected our most valuable assets; and how could investing in more security reduce our risk.” And as more businesses explore options for cyber insurance, “Companies are increasingly bewildered when trying to understand how much and what types of insurance they need to effectively transfer financial risk,” continued Waits. PivotPoint Risk Analytics is enabling CIOs, CISOs, and their businesses to answer these questions and make smarter business decisions through a new category of solutions called Cyber Risk Analytics.
PivotPoint Risk Analytics’ flagship product CyVaRTM enables enterprises to quantify cyber risk in dollars and cents. Borrowing the concept of “value-at-risk” from the financial industry, CyVaR determines an organization’s Cyber Value-at-Risk, which is its potential financial loss from cyber-attacks over a given period of time within a given confidence interval. CyVaR achieves this by identifying the most valuable information assets and business activities that could be impacted by a cyber-attack, and then estimating the financial consequences of the potential loss of each. CyVaR then uses sophisticated attack modeling and Monte Carlo simulation to estimate the probabilities of those losses occurring andshows how those potential losses are distributed across business applications by financial loss type.
CyVaR also identifies the mitigations that can have the greatest impact on reducing risk. Above all, by using CyVaR, “We provide suggestions to risk managers and CISOs about the most effective way to reduce risk,” says Waits.
We’re enabling CIOs and CISOs to transform cyber security from a technical discussion to a business discussion and lead their organizations in managing cyber risk
CyVaR creates a common lexicon for Risk Managers, CISOs, CIOs, CFOs, and insurance providers to evaluate how risk can be reduced through a combination of risk mitigation and risk transfer. It enables an organization to look at managing cyber risk from a bigger perspective—to understand how to combine security investments and cyber insurance and stay within their risk tolerance. “We are helping companies assess their needs, build business-driven security investment plans, and reduce their cyber risk,” extols Waits. A case in point, for a long time the CISO of the San Diego municipal government was challenged in establishing the importance of certain security investments and the security budget as a whole. Using CyVaR, the City was able to understand its financial risk, to see how that risk was distributed across business applications and processes, and ultimately justify the need for increased cyber insurance coverage and additional spending.
Waits’ philosophy of valuing things and protecting them lifelong is visible in his firm too. The company will continue to develop technology that adds greater flexibility to CyVaR so it can work directly with a company’s specific systems and controls. According to Waits, “It’s all about arming CIOs, CISOs, and Risk Managers with the Cyber Risk Analytics that enable them to build more effective cyber resilience strategies and turn cyber security into a business discussion.”