Qualys QSC Americas day #1: Rocking risk realities with ROC

Qualys QSC 2024

Into the Qualys QSC 2024 conference itself on day 1, attendees were able to ‘breakfast on’ an industry specialist in advance of CEO Thakar taking the keynote stage.

Presenting first was Juliette Kayyem, a CNN national security analyst and former assistant secretary at DHS, which is the Department of National Security, obviously.

Kayyem is a Harvard professor and talks with some gusto. Her specialist area is disaster and crisis management and her key lesson centralised around how to fail more safely i.e. with an understanding of the fact that failures do inevitably happen.

“If we start to think about crises as a standard throughline, then we can perhaps think about tough disaster management as something that is no longer a rare occurrence,” said Kayyem, recounting a macabre story about how she had found a hidden infirmary room in her loft where someone had died from Spanish Flu some 100-years ago – especially given that fact that it all happened again in Covid-19.

Taking the audience through a probability-consequence-risk-framework concept, Kayyem explained how we shouldn’t be too focused on (for example) selfie-stick deaths (they’re just so rare)… while there is of course a need to focus on car accidents, but also we should keep in mind the grey rhino (major natural disaster) events that will inevitably happen in the world. 

Nation-state (bad) actors

“The major culprits out there are still nation-actor states – and we know who they are, it’s China, Iran and Russia. The trajectory of these attacks has gone from the ‘fun and games’ of meddling with elections, upwards to the solar winds breach. We know that organisations are now looking at calculating the cost of ransomware demands against the risks of the breaches they may have suffered,” said Kayyem.

Thinking about enterprise risk and preparedness, she urged the audience to think about the ‘guards, gates & guns’ as the front line of defence, but beneath all that, it’s crucial to understand whether an organisation’s IT architecture has the core resiliency to be able to withstand the recurring nature of disasters. 

“Building at shift left (of the disaster boom) is always going to help you survive right of the inevitable right booms that will happen and, crucially, this will give us agency to be able to operate in the real world with the events that we know will happen,” concluded Kayyem before saying that we need to identify commonalities for dealing with risks as they impact modern businesses today.

Criticality reboot

CEO Sumedh Thakar’s main keynote session was entitled, “If Everything Is Critical, Nothing Is: Unveiling a New Approach to Cyber Risk Management” and if that doesn’t make sense you’re not paying attention i.e. if ALL elements of the stack are treated as critically fragile as the next piece, then a business is never going to be able to prioritise and get its DevOps teams working to lock down the most important things first.

Taking over from Kayyem, Thakar of course mentioned his firm’s quarter-century celebration this year as his starting point.

“Mitigation and transfer of risk is really what cybersecurity is all about now,” said Thakar. “Organisations are always wondering how much they should pay to offset risk and that is always tough as risk will never go away. It’s all about working out how much of the risk will cause a financial loss to the organisation. From a risk management perspective, it’s a question of how much does the business stand to lose if any given vulnerability were to be exploited.”

Reputational damage can of course occur when systems are compromised, but the IT function and indeed the business function is more concerned about the ability to keep its data layer operational. After all, which customers decide not to work with any given brand (say a banking system, or perhaps a retailer) just because their system has gone down for a week?

Quantification of risk is therefore exceptionally important.

Risk Operations Center (ROC)

Thaker moved on to detail Qualys’ main product announcement for this event.

The company has launched its Risk Operations Center (ROC) with Enterprise TruRisk Management (ETM) at the Qualys Security Conference. The solution enables CISOs and business leaders to manage cybersecurity risks in real-time, transforming fragmented, siloed data into actionable insights that align cyber risk operations with business priorities. 

“With IT environments growing more complex and potential risk exposures more numerous, organizations need a holistic and proactive cybersecurity management platform that brings all cyber-risk exposures to one place, unifies scoring and simplifies prioritization and reporting,” said Michelle Abraham, research director at IDC. “Qualys’ approach with the Risk Operations Center delivers this ideal in a cohesive way. With the ability to analyse all risk factors at a glance – such as exploitability, unique organisational context, threat intelligence and financial impact – Qualys Enterprise TruRisk Management empowers CISOs and business leaders to create actionable, enterprise-wide strategies to reduce risk to levels that align with the business’s objectives.”]

ROC with Enterprise TruRisk Management is designed to unify asset inventory and risk factors, apply threat intelligence, business context, risk prioritisation and orchestrate remediation, compliance and reporting through a single interface.

Juliette Kayyem

Qualys CEO and president Sumedh Thakar’s main keynote session was entitled, “If Everything Is Critical, Nothing Is: Unveiling a New Approach to Cyber Risk Management”.