“Who else is using RiskLens?” is a common question asked by prospects in search of market validation. They are very eager to move towards a risk-based approach to cybersecurity and hope that their organization can take full advantage of cyber risk quantification. A valuable step in the prospect’s decision-making process is knowing which companies have already started this journey and learning from the experience of their peers.
This question usually implies a series of more granular questions. Here are some common questions and their corresponding answers.
What size companies are leveraging RiskLens to assess cyber risk in quantifiable terms?
Organizations that use RiskLens’ applications or services are typically large enterprises and large SMBs. The sizes of these organizations varies a lot. We count two of the top Fortune 5 companies as our largest customers. On the other side of the spectrum, we work with several 1,000 employee-strong organizations. Every other customer is somewhere in between these hundreds of billion (US) dollar companies and the ones whose annual revenues are in the hundreds of millions.
Which industries are gravitating towards RiskLens the most?
While many prospects assume that large banks are the ones gravitating towards RiskLens, our rapidly expanding customer base does not show a concentration in any one industry. Instead, it points to a wide diversification across multiple industries. RiskLens customers operate in the following verticals: banking, retail, insurance, healthcare, energy, manufacturing, technology, payments, e-commerce, and government.
What are the main use cases?
Five main use cases have emerged for the use of the RiskLens platform:
Articulating cyber risk in financial terms. This use case addresses the fundamental question of “How much risk do we have?” and helps our customers produce reports for the board and business executives in terms they can understand and embrace.
Prioritizing risk mitigations. This use case helps answer questions such as, “Are we focusing on the most important initiatives?” and, “Which risk mitigations reduce risk the most?”
Assessing the ROI of cybersecurity initiatives. Here, customers conduct cost-benefit analyses related to their cybersecurity initiatives and answer questions such as, “Are we spending too much or too little on this initiative?” or, “Does this initiative matter in terms of risk reduction?”
Optimizing cyber insurance coverage. Some customers leverage RiskLens to help their ERM teams negotiate the right cyber policy from their insurance carrier by producing the necessary loss exposure projections.
Effectively assessing third party risk. An increasing number of customers are replacing their resource-intensive and ineffective questionnaires with more comprehensive, yet crisp assessments that can be completed in less than two hours.
What is the level of maturity required to become a RiskLens customer?
Before becoming RiskLens users, our prospective customers shared a desire to move from a compliance-based to a risk-based approach to cybersecurity. Very few had a risk quantification initiative in place. The maturity of their risk assessment practices varied:
Most customers’ risk management practices did not include measurable assessments of risk and were limited to checking compliance against cyber security frameworks and regulations such as NIST CSF, ISO 27100, PCI, FFIEC, etc.
Some customers had attempted to classify risk using qualitative methods such as ordinal scales (1-5, or High-Medium-Low) or color coded matrices, only to find out that these models did not enable cost-efficient decision-making and that they broke down when aggregated.
A very small number of customers attempted to build their own cyber risk quantification tool by building increasingly elaborate spreadsheets. The customers gave up once they realized they built a ‘monster-spreadsheet’ that did not scale and proved extremely difficult to use and maintain.
What we have learned from our customer engagements is that the differences in risk management maturity were not the main factor for a project’s success. Executive support for moving to a risk-based approach to cybersecurity mattered the most.
The RiskLens applications, because of the templated, step-by-step workflow that guides users through quantitative analyses, are easy-to-use and make up for deficiencies in risk assessment maturity.
Some of the data necessary for the analyses requires inputs from subject matter experts from various parts of the organization. This is where a chief information risk officer or a CISO can make a difference by opening doors and building cross-departmental support.