Venturing Back to the Operator Role: my return to cyber risk management

When I joined NightDragon earlier this year, I focused on supporting go-to-market strategies for our high-growth cybersecurity companies. One company, ThreatConnect, quickly captured my attention – both because of their innovative approach to cyber risk quantification and because of their team/culture. So, when offered the opportunity to join them as their Director of Business Development, CRQ, I had zero doubts. My immediate response was “heck yeah, let’s do this!” 

I'm excited to join the ThreatConnect family for two key reasons: first, my enthusiasm for cyber risk management - developed through extensive experience with discovering and assessing vulnerabilities to solve complex challenges - rivals the thrill of attending a Golden State Warriors game — it's a high-energy vibe (scroll to the end for a not-so-subtle flex)! Second, understanding the importance of Cyber Risk Quantification (CRQ) in today’s evolving landscape is vital. My experience with risk assessments has shown me how CRQ can empower organizations to make informed decisions and prioritize their security efforts effectively. Let’s dive into that second point first; I promise the first will shine through!

**

Cyber Risk Quantification assigns monetary values to cybersecurity risks, helping companies understand both the qualitative impacts of breaches and their financial implications. While this concept isn't new, methods have varied significantly over the past decade in translating abstract risks into concrete metrics and how Boards receive them across industries—a discussion for another time.

As cyberattacks grow in frequency and sophistication, organizations must prioritize understanding their vulnerabilities and potential financial losses. A CRQ tool enables businesses to allocate resources effectively, justify cybersecurity investments, and communicate risk in financial terms. In other words, CRQ allows security leaders to discuss risk and impact in the universal language of business: dollars and cents.  

Reflecting on my own experiences in risk and governance, I remember engaging in numerous discussions with peers and industry colleagues about the challenges posed by existing tools and frameworks for assessing risk and identifying effective mitigation strategies. Many of these methods rely heavily on the word of seasoned professionals with years of accumulated knowledge. However, the reality was that most of these assessments and subsequent risk ratings yielded qualitative outputs — essentially “best guess” estimates of vulnerabilities and their potential consequences if left unaddressed. While these qualitative insights can be informative, they lack the concrete guidance businesses need.

Expert opinions on threats can be flawed, with biases or overwhelming meaty risk registries leading to a downplay of concerns. Traditional qualitative approaches often provide data without compelling answers, limited by the assessor's comfort level. In contrast, CRQ tools help users evaluate the financial impact of cyber incidents, prioritizing asset protection based on their criticality and value to the organization.

Users of a CRQ tool can use information about the criticality and financial value of business assets to help determine the potential financial loss from a cyber incident. This can help prioritize which assets need the most protection based on their value to the organization.

To illustrate how quantitative analysis can be transformative, consider these use cases:

• Financial Institutions: CRQ helps evaluate cybersecurity investments by assigning monetary values to potential threats, and by optimizing budgets.
• Healthcare Organizations: These institutions face numerous cyber threats and use CRQ to analyze past incidents, identify critical assets, and tailor security protocols.
• Technology Companies: By integrating CRQ into product development, tech firms can understand the financial implications of security flaws and prioritize necessary features.

These examples underscore the importance of CRQ in the face of an ever-growing array of attack vectors, from third-party vendors to insider threats. By adopting a more quantitative approach, organizations can navigate the complexities of cybersecurity with greater clarity and confidence. And, with the SEC’s ruling on mandatory disclosure of material incidents, I’m willing to bet there are a good number of companies more interested in funding risk mitigation than dealing with the financial and reputational fallout from public disclosures.  

Okay, time to wind down by touching on company culture at ThreatConnect. I am excited to embrace ThreatConnect’s people-first mentality, which is grounded in collaboration, diversity, and trust. I look forward to contributing to a culture that prioritizes meaningful relationships and teamwork, empowering us to tackle challenges together and drive our mission forward.

A heartfelt thank you to NightDragon and their portfolio companies and partners for a swift and intense tenure. It was incredible ride, but I’m ready to get this party started; see you soon!