Presented by Kenna Security

Over the past 20 years, startups designed to calculate, quantify, and reduce cybersecurity risk have fallen as quickly as they appeared. Silicon Valley is littered with companies that never found receptive audiences among executives for whom cybersecurity risk was top of mind.

Lately, however, we’re seeing cybersecurity vendors coalesce around the idea of risk, and they are finally finding a receptive audience among executives, cyber insurance underwriters, and others who are beginning to understand the benefits of a risk-based security model. These executives are starting to realize that security professionals cannot protect everything, all the time.

The question in the security space is no longer “how do I get to 100 percent security?” It’s “how do I galvanize my resources to reduce the risk of a successful breach?”

The answer is complex: for one thing, the scale of the cybersecurity challenge is larger than it has ever been. At the same time, data science and machine learning are paving the way for tools and techniques that can be used to understand the full breadth of the challenge.

Available tools were never enough

In the early days of the internet, we saw an emphasis on blocking cyberattacks. This gave way to an emphasis on detection, and, in order of appearance, intrusion prevention technology, firewalls, and a bunch of firms that analyzed cyberthreats and performed security information and event management functions.

Behind this sequence of new technology were security providers trying to offer new tools to respond to threats as they emerged. Unfortunately, the pace and scale of breaches only increased as companies became more reliant on information technology.

This has created new space for risk management which has taken hold as a motivating force in cybersecurity. Security challenges are complex, the threats are constantly evolving, and there is shortage of qualified people to tackle them. In short, no tool does it all.

A problem of inhuman scope

To understand the scope of the IT security challenge, consider the state of vulnerability management efforts at the enterprise level. This discipline of cybersecurity uses scanners to find known security holes in an organization’s IT assets, tracks them, and identifies remediation strategies.

The average enterprise faces more than 40 million vulnerabilities in its environment. The typical organization only has the capacity to patch 10 percent of them, and the best can only patch about 25 percent.

When companies do not have the capacity to patch everything, the fallback position is to identify those vulnerabilities that pose the most risk to the organization. In one review of enterprise vulnerability management efforts at a dozen selected companies, research that our company conducted with the Cyentia Institute found more than 2 billion vulnerabilities, more than 500 million of them deemed high risk. And simply put, the methods for tracking vulnerabilities at many organizations simply aren’t up to snuff. Many teams, some at shockingly large companies, use spreadsheets to track vulnerabilities, and intuition to prioritize which to tackle first.

And here’s the rub: sometimes organizations get it wrong. They patch things that they believe are risky, but are not, which leads to wasted effort in situations where there is not enough capacity to begin with. When dealing with millions of vulnerabilities, the human mind simply cannot assess the risks clearly and accurately. It’s a job that can only be tackled by computing power, and machine learning.

Done right, however, machine learning can lead to effective prioritization of the riskiest vulnerabilities the organization faces. And that leads to an overall reduction in the organization’s risk. That reduction is measurable, even with the lowest likelihood of wasted effort.

Weighing costs and benefits

Business risk is an age-old dilemma. Risk is a language that is well understood by executives, who typically think of it as dynamic and evolving.

The idea of risk, in this sense, isn’t the likelihood that a person standing near the edge of a cliff will fall off. In the business world, it’s broader, involving trade-offs that weigh the cost and benefits of action against the costs of inaction, and the cost of expending resources on one initiative over others.

Treating cybersecurity risk as a resource problem, with the right data, holds executives accountable, because it allows them to see not only what they are doing, but what they have decided not to do.

Go deeper: Learn more about best practices for managing risk here.

Karim Toubba is CEO at Kenna Security.

Sponsored articles are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. Content produced by our editorial team is never influenced by advertisers or sponsors in any way. For more information, contact