Consortium Acquires Cyber Risk Quantification Startup To Become ‘Next-Gen VAR’

The solution provider’s acquisition of Metrics That Matter is aimed at providing customers with a more-objective, continuously updated picture of their cyber risk, Consortium CEO Nate Ungerott tells CRN.

Solution provider Consortium has acquired a cyber risk quantification startup, Metrics That Matter, with the aim of providing customers with a more-objective and continuously updated view into their cybersecurity risk picture, company executives told CRN.

By taking this data-driven approach, Cherry Hill, N.J.-based Consortium is aiming to “create the next-gen VAR” that can provide stronger recommendations as well as greater specificity on how much risk reduction they can expect from their cybersecurity investments, CEO Nate Ungerott (pictured) said in an interview.

The terms of the acquisition weren’t disclosed. Metrics That Matter is bringing its 11 employees to Consortium, which now has a total headcount of 70.

By utilizing real data aggregated from cyber insurance claims and building client profiles, the Metrics That Matter technology can ultimately project what the inherent cyber risks are to a client, according to Consortium CTO Andrew Barnett.

Far too often, decisions on cybersecurity buying are based on subjective judgments around the impact and effectiveness of the tools, Barnett said.

With the acquisition of Metrics That Matter, “now we have empirical data that we can make judgments on,” he said.

“Now as a VAR, I can talk to my client about what their current state looks like — ‘This is exactly what you are doing in terms of buying down risk for the organization. What should we go do next?’” Barnett said. “What this empowers our clients to do is now go talk to their peers in the business and say, ‘Here's what my program is doing for you today.’”

Ungerott said that using data and analytics in this way is far superior to the standard, people-intensive approach to assessing cyber risk.

For instance, an organization can bring in a team of risk consultants to do assessments and come up with reporting that delivers some amount of quantification, he said.

But the shelf life of this quantification is far too short, according to Ungerott.

“The second that [the consultants] walk out of the environment, it's stale,” he said. “This [new approach] allows us to keep them updated on a weekly, monthly, quarterly basis.”

Ungerott previously spent nearly a decade at cybersecurity solution provider giant Optiv, including as executive vice president of sales from 2018 to 2022, while Barnett’s career has included roles at Optiv and Deloitte.

Both executives joined Consortium in early 2024 with the goal to scale up the business, as the company transitioned from its roots as a founder-led company, Ungerott said. Consortium was launched in 2016 by former CrowdStrike executive Larry Pfeifer, who remains involved with Consortium as executive chairman.

The connection to Metrics That Matter was a natural one, Consortium executives said, given that the startup was also founded by Pfeifer.

In addition to utilizing cyber insurance claims data and building client profiles, Metrics That Matter also updates its catalog of cybersecurity vendor tools every month, said Charles Iannuzzelli, who served as COO of Metrics That Matter and continues to lead that team within Consortium.

As part of evaluating security vendors, “we're mapping them back into the tool so we can quickly assess any new vendor solutions hitting the market — and [determine] if they will help our clients buy down risk in a better way,” Iannuzzelli said. “So we're keeping on top of every new vendor that hits the market.”

Major vendor partnerships for Consortium include CrowdStrike, Palo Alto Networks and Wiz, while the solution provider works with more than 300 vendors in total.

Ultimately, when it comes to Consortium’s approach to cyber risk quantification using the capabilities from Metrics That Matter, “there are no other VARs that are doing this,” Barnett said. “The combination of intellectual property [for risk quantification] — a true SaaS product that's owned and operated by the VAR — we're the first ones.”