2016 Innovation Awards: PivotPoint Risk AnalyticsReprints
Data breaches are among the top concerns for any organization these days, with incidents reaching near catastrophic levels as personal and private business information is stolen, warehoused, sold and distributed. Their effects are far-reaching and expensive.
That's one question Baltimore-based PivotPoint Risk Analytics hopes to provide answers for with its new data breach risk assessment tool, CyVaR.
Tracy Martin, Baltimore-based director of product management for PivotPoint, was one of the original developers of the product, which came out in 2015. He said CyVaR grew out of the need for risk managers to understand how much is at stake if an incident — a systemwide infection by malware, for example — were to occur. It wasn't a question being answered in risk circles, he said.
According to Chris Washington, Herndon, Virginia-based vice president of engineering and head of product development for PivotPoint, traditional security has always zeroed in on incident-prevention technology.
“We are more risk-based, (focusing on) how to best protect the critical assets,” Mr. Washington said. “That's the difference between this product and what has been traditionally offered.”
That difference is what helped CyVaR earn a 2016 Business Insurance Innovation Award.
According to Mr. Martin, the program is set up like a computer wizard, such as TurboTax, and collects inputs on the organization's industry, its size, gross revenue, number of employees and other data. The program identifies the most critical business applications that drive revenue and tallies exposure of valuation of those assets. PivotPoint then studies the organization's defensive posture — practices in place to mitigate an incident. An analysis of threat data, historical data and incident rates across the industry is also considered.
“We put all of this together and run a simulation,” said Ms. Martin. “You can then come up with a dollar value of your risk.”
For the City of San Diego, that figure was $4.5 million, according to Gary Hayslip, the city's chief information security officer and deputy director in the information technology department. He used a CyVaR report in a budget presentation in November to help justify higher expenditure in the IT budget.
According to Mr. Hayslip, the city the houses information including residents' tax bills, permits, arrest and police records, and medical and personal information for 11,000 employees.
He said that as a result of a complete CyVaR study, the data risk security budget for the city now takes up 6% of the IT budget at just over $3 million, up from a bare-bones 1%.
“This actually gave us a dollar amount to our risk and the risk of using nonupdated programs,” Mr. Hayslip said. “It gives you an idea that if you have a breach, how much you can expect it to be and (offers) some recommendations that you should put in place to reduce your risk. Those recommendations become projects that are easily justifiable when you have a dollar amount to remove off your risk profile.”
Mr. Washington said CyVaR offers a one-time, periodic look at an organization's risk and that PivotPoint is working on an improvement that would constantly monitor risk.
“One of the trends that I have noticed in the industry is that many of the best programs have led to the delivery of the next program,” he said. “That's the next direction I want to take this product.”