PivotPoint Risk Analytics’ flagship product CyVaRTM enables enterprises to quantify cyber risk in dollars and cents. Borrowing the concept of “value-at-risk” from the financial industry, CyVaR determines an organization’s Cyber Value-at-Risk, which is its potential financial loss from cyber-attacks over a given period of time within a given confidence interval. CyVaR achieves this by identifying the most valuable information assets and business activities that could be impacted by a cyber-attack, and then estimating the financial consequences of the potential loss of each. CyVaR then uses sophisticated attack modeling and Monte Carlo simulation to estimate the probabilities of those losses occurring andshows how those potential losses are distributed across business applications by financial loss type.
CyVaR also identifies the mitigations that can have the greatest impact on reducing risk. Above all, by using CyVaR, “We provide suggestions to risk managers and CISOs about the most effective way to reduce risk,” says Waits.
We’re enabling CIOs and CISOs to transform cyber security from a technical discussion to a business discussion and lead their organizations in managing cyber risk
CyVaR creates a common lexicon for Risk Managers, CISOs, CIOs, CFOs, and insurance providers to evaluate how risk can be reduced through a combination of risk mitigation and risk transfer. It enables an organization to look at managing cyber risk from a bigger perspective—to understand how to combine security investments and cyber insurance and stay within their risk tolerance. “We are helping companies assess their needs, build business-driven security investment plans, and reduce their cyber risk,” extols Waits. A case in point, for a long time the CISO of the San Diego municipal government was challenged in establishing the importance of certain security investments and the security budget as a whole. Using CyVaR, the City was able to understand its financial risk, to see how that risk was distributed across business applications and processes, and ultimately justify the need for increased cyber insurance coverage and additional spending.
Waits’ philosophy of valuing things and protecting them lifelong is visible in his firm too. The company will continue to develop technology that adds greater flexibility to CyVaR so it can work directly with a company’s specific systems and controls. According to Waits, “It’s all about arming CIOs, CISOs, and Risk Managers with the Cyber Risk Analytics that enable them to build more effective cyber resilience strategies and turn cyber security into a business discussion.”