On Wednesday evening, at the Soho Hotel in London, we launched Cydea Risk Platform, a software-as-a-service product to help organisations achieve better security outcomes.
At the beginning of the presentation I talked to the packed auditorium – of clients, partners, current and former colleagues, and new faces – through the events that led to the launch, and why we, and so many of our early adopters, are so excited about it.
I want to share some of that with you in this blog post.
Positive Security
I founded Cydea in 2019 with an ambition to eschew the FUD (fear, uncertainty and doubt) that dominates so much of the cyber security industry, and to help more organisations really understand their risk.
In the early days — when Pandemic was just the name of a board game — I sat in my kitchen, like I know many other startup founders have, surrounded by ideas and post-its.
Some of them were lessons I’d learned from running a large, respected consulting practice:
- That reports can all too easily create illusions of agreement
- That those report all to quickly become out of date, gathering dust
- That it’s important to measure things
Others were predictions:
- That events will move faster and decisions will need data
- That people will always take the easy path
- That common approaches were hindering, not helping, security management
And some were principles:
- That if we truly believed in something, and our customers did too, then we should codify it. Not in the PowerPoint decks, ‘accelerators’ and template sense. Really codify it.
And with help from friends and loved ones, I crafted a manifesto of sorts. The world needed more positive security! A belief that Cyber security shouldn’t be about FUD. That it should start with understanding. Be about managing, not eliminating, risk and having confidence that you’ve done the appropriate things to achieve your goals.
Four-and-a-half years later, our launch this week is a celebration of those practices, predictions and principles, plus a lot more that we have learned through work with our clients, user research, and early adopters.
An unassessed priority
One of those predictions was that ‘bad guys will always try to steal valuable things’. Unfortunately that one has proved to be very true.
Cyber security is rarely out of the headlines and the latest official statistics from the UK government, released this month, show the majority of businesses consider cyber security is a fairly high or very high priority.
Yet, despite this, and the extensive guidance encouraging a risk-based approach to this problem, just 31% have ever conducted a cyber risk assessment.
They know it’s a problem, but don’t know where to start.
Problems with PIGs
Two of the most common responses to our user research was that, when people have conducted a risk assessment, it’s often done in generic tools like Excel, and that it takes “too much” time.
Many teams spend weeks or even months just managing spreadsheets, instead of managing risk.
And if they are able to be proactive, they don’t have a good pointer for where to focus, what’s a sensible investment, and where to look for meaningful improvements.
Their efforts are, in part, hindered by those common approaches I mentioned earlier.
Language matters, and qualitative terms are frequently misunderstood. On Wednesday evening we demonstrated in the room that, for our audience including experienced security practitioners and CISOs, that “likely” can mean anywhere from 30% to 90%.
That’s a huge margin of error!
Didn’t get that budget request for your MDR service? Probably the exec didn’t understand the importance of your request!
NATO recognised this back in the 1990s. This chart shows variations in NATO intelligence officers’ interpretation of probability phrases. “Likely” shows a similar range of perceptions.
So even when they do try to understand their cyber risk, qualitative terms are all-to-easily misunderstood.
Then there is the pervasive 5x5 risk matrix — the Probability Impact Graph, or PIG — at the heart of many unwieldy spreadsheets. This further compounds things by taking a distorted, low resolution picture that undermines important business decisions, gives focus on the wrong things or misrepresents their exposure.
I’ve written before about how there is a better way to communicate risk than the risk matrix. How a ‘red risk’ can be much less impactful than an ‘amber risk’. That their colours may not accurately convey the situation. In this example, despite being at almost opposite sides of the 5x5, the red Risk A is 16% lower than amber Risk B.
- Risk A is £2.5 million impact and 90% likelihood, representing a £2.25 million risk to the organisation, is coded as a ‘red’ risk
- Risk B has a £10 million impact and 29% likelihood, and represents a £2.9 million risk, while seemingly being of the lower ‘amber’ priority
Governance, Risk and Compliance (GRC) teams, cyber security analysts, and information security managers are being let down by flawed methods. They spend ages collecting information, analysing data and producing nuanced assessments, then force it into one of 25 cells that makes this 4K risk analysis look like black and white telly.
And that’s before you start to try to ‘add up’ red + amber + green to give an overall picture.
What a muddy mess!
Enter: Cydea Risk Platform!
Cydea Risk Platform is a software-as-a-service solution that:
- radically accelerates cyber risk and compliance programmes
- quantifies and models risk in monetary terms
- improves communication and decision making between business, IT and security teams
We’ve built in risk intelligence from Cydea that helps organisations to:
- quickly identify and easily manage the risks that matter
- provide a clear view of treatment proposals and security improvement plans
- and measure how risk scenarios are manifesting by ‘closing the loop’ with incidents
All in a way which can be easily shared and communicated.
Accessible assessments
Cydea Risk Platform is available in sizes to suit the needs of different organisations.
There’s a starter plan for the smaller team, with a single assessment and support for basic control frameworks like Cyber Essentials.
A professional plan for medium teams, with multiple assessments, more complex modelling needs, and more advanced industry frameworks like ISO 27000 and NIST’s Cybersecurity Framework.
Finally, an Enterprise plan, suitable for larger teams, will be coming later this year. (Get in touch if you’re interested in helping shape that!)
All from just £825 per month!
One more thing…
Since incorporation, it’s been really important for me that Cydea is a force for good in the world.
Through the Cydea x Good Causes programme we have made substantial donations to charities and disaster relief efforts, supported organisations with pro-bono advice, and gifted access to courses and bought reading materials for schools to inspire the next generation of security professionals.
And while just 1-in-3 businesses have conducted a cyber risk assessment, for charities it’s even worse…
Just 26% have taken action to assess their risk.
So it’s also a huge pleasure to announce that we will also provide free access to 100 charities, to help them better understand their risk, and so they can focus on the brilliant work that they do in our communities.
Closing the loop
The response from those at the launch event, and in the 24 hours since, has been phenomenal.
I’m really proud of what we’ve built and huge thanks go to the Cydea team, our development partner Radical, plus those that participated in user research and early adopters for helping to make this a reality.
We can’t wait for you to get your hands on the platform, and start closing the loop on cyber risk.
Check out Cydea Risk Platform quantify cyber risk, have better board conversations, and improve your security outcomes.
