Qualys launched Qualys Enterprise TruRisk Platform
November 2023 by Marc Jacob
During our 2023 Qualys Security Conference (QSC) taking place in Orlando, Florida, November 6-9, 2023, I unveiled an exciting new milestone for the company – the release of our new Qualys Enterprise TruRisk Platform, marking a seismic shift for the future of Qualys as a leader in managing and reducing cyber risk for CISOs as well as security practitioners.
What is Enterprise TruRisk Management?
The Qualys Enterprise TruRisk Platform aggregates cyber risk signals from a wide array of disparate sources and correlates them into measurable risk insights using the unified TruRisk risk scoring framework. As a result, users are empowered with a centralized means of measuring, communicating, and eliminating their cyber risk with precise remediation and mitigation actions, supplying them with an optimized path to cyber risk reduction.
A Vision Turned into Reality – The Qualys Enterprise TruRisk Platform
My announcement about the new vision for our company’s ground-breaking platform is the maturation of a concept that Qualys began working on years ago through a commitment to not only deliver powerful security solutions for attack surface management, vulnerability management, and remediation but also to provide a higher level of orchestration between these solutions that allow security leaders to better identify, prioritize, and action cyber risk remediation to maximize positive impact business on the business.
In my keynote at QSC, I outlined how we now see the negative impact that disjointed cyber risk scoring methodologies and disparate cybersecurity point solutions have had on CISOs and the organizations they secure. Despite a market push to release more cyber risk ‘measurement’ solutions, security leaders and stakeholders have no reliable means of aggregating, correlating, and translating cyber signals from a growing cybersecurity stack into meaningful cyber risk mitigation and remediation strategies.
Since the release of Qualys Vulnerability Detection Management and Response (VMDR) in 2019, Qualys has rolled out a series of transformative cybersecurity solutions, including CyberSecurity Asset Management (CSAM) with External Attack Surface Management, Custom Assessment and Remediation (CAR), VMDR 2.0 with TruRisk, and TotalCloud with TruRisk Insights. These Qualys solutions, while compelling on their own, deliver unparalleled, end-to-end asset management and security coverage as a comprehensive platform, with a unified view of risk under one agent and a single scalable solution.
Why Now – Why Enterprise TruRisk?
With ever-expanding attack surfaces and a growing threat landscape, cyber risk has become an elevated topic of importance and prominence for virtually every organization, especially for the C-suite. Today, nearly 50% of CISOs report directly to the CEO, with over 90% regularly briefing their Board of Directors about their organization’s exposure to cyber risk. As a result, CISOs are being nudged into roles that require them to move beyond merely enumerating cyber risk in the form of Key Risk Indicators (KRIs).
Today, CISOs and security leaders must also measure and communicate cyber risk in the form of Key Performance Indicators (KPIs) that provide the business impact of vulnerabilities, threats, and risk posture in real time. However, this is easier said than done. With over 60 security tools on average, security leaders are forced to parse through a complex maze of risk data from a collection of disparate solutions managed by different teams and split between IT and Security to calculate, articulate, and remediate cyber risk across their extended infrastructure.
Case in point – over the last year, the Qualys Threat Research Unit ran over 2.6 billion vulnerability scans across 60 million assets to find that 2.1 billion of those scans were scored as ‘critical’ or ‘high’ according to CVSS. Meanwhile, of these ‘critical’ or ‘high’ CVSS results, only 603 million, or less than a third, were truly high risk when applying the contextual analysis of the Qualys TruRisk engine. Conversely, from this same sample, Qualys researchers also found that CVSS rated 87 million vulnerabilities as ‘low’ or ‘medium’ risk. In contrast, TruRisk rated them as ‘high’ or ‘critical’ – highlighting the inaccuracy and danger of relying on CVSS alone to measure and prioritize cyber risk.
As I pointed out in my QSC address, cybersecurity leaders, and any cyber risk stakeholder for that matter, are guiding their cyber risk mitigation and remediation strategies with incomplete, inaccurate risk information. Instead, they’re measuring risk with limited data, and because of this, they’re communicating the cyber risk inaccurately to their stakeholders and not reducing cyber risk effectively for their businesses. It’s a big problem that most cybersecurity companies are not solving in the way they need to.
The Enterprise TruRisk Platform not only provides a centralized way for organizations to measure and eliminate their cyber risk but also arms users with the actionable insights they need to communicate their actual cyber risk posture to internal security and business risk stakeholders. Additionally, it provides external executive stakeholders, from the board to cyber risk insurers, with the necessary data they need to make the right decisions.
Measure, Communicate, and Eliminate Cyber Risk
The introduction of The Enterprise TruRisk Platform marks Qualys’ commitment to helping CISOs, cybersecurity practitioners, and risk stakeholders quantify the impact their cyber risk has on their businesses, with actionable paths to eliminate that risk with concise remediation and mitigations. Through this advancement, customers will now be able to gain even more from the comprehensive Qualys Threat Library and over 25 threat intelligence feeds that they already receive, empowering them to reduce their cyber risk posture more effectively across their organizations with tangible business context.
The Qualys Enterprise TruRisk Platform is the only cybersecurity and risk management solution that enables you to:
• Measure Cyber Risk – Aggregates cyber risk across Qualys and third-party products and their Risk Factors.
• Communicate Cyber Risk – Translates disparate cyber risk data into common actionable insights and business impact metrics for key security and business risk stakeholders.
• Eliminate Cyber Risk – Eliminates cyber risk across the extended enterprise with precise remediation and mitigation actions.