ThreatConnect Buys Risk Quantification Firm Nehemiah Security
‘This is something that security leaders have been dreaming about for a long time, the ability to make their conversation with the board simple,’ says ThreatConnect CEO Adam Vincent.
ThreatConnect has purchased Nehemiah Security to help companies better measure the degree to which specific security investments reduce an organization’s risk profile.
The Arlington, Va.-based cybersecurity vendor said its acquisition of Tysons, Va.-based Nehemiah Security will allow practitioners to move away from KPIs like number of security events when reporting to the board and instead provide meaningful business metrics that deliver insight into how well a security organization is actually operating, according to ThreatConnect CEO Adam Vincent.
“We speak in terms that boards don’t speak in terms of veiled threats and risk,” Vincent told CRN. “This is something that security leaders have been dreaming about for a long time, the ability to make their conversation with the board simple.”
[Related: 33 Hot New Security Products Announced At Black Hat 2017]
Terms of the deal, which closed Aug. 18, aren’t being disclosed. Nehemiah Security was founded in 2015, and roughly 20 employees will be coming over to ThreatConnect, including the company’s product leadership team, Vincent said.
Nehemiah’s technology allows customers to quantify the value of what’s being protected and overlay all investments across the security organization to determine what value each investment is having on the company’s overall security posture, Vincent said. As a result, when customers go to the board, they’re now able to provide the current level of risk and quantify how much specific activities decrease risk.
Vincent said Nehemiah caught ThreatConnect’s attention due to being very focused on automation rather than services-heavy like many of their peers. As a software company, Vincent said ThreatConnect is well-positioned to provide the threat intelligence and operational data that serve as the foundational inputs for Nehemiah’s cyber risk quantification engine.
“Money is tight, and people don’t want to waste their time on things that don’t add value,” Vincent said.
The CISOs (Chief Information Security Officers) at many of ThreatConnect’s existing customers were already attempting to do risk quantification manually using spreadsheets, and Vincent said Nehemiah will make that process a lot easier. Vincent said ThreatConnect is in a very powerful position with lots of strategic organizations, and is fine-tuning synergies with the Nehemiah product to maximize benefits.
On the other side, Vincent said 80 percent of Nehemiah’s customers are interested in talking about ThreatConnect’s vision of brining intelligence, operations and risk together, even if they’re already using competing products. Vincent said Nehemiah will benefit from getting the power of ThreatConnect’s sales and marketing team behind its technology as well as an increased budget to pursue product goals.
The team working on the risk quantification product will operate as a startup within ThreatConnect and focus on iterating as quickly as possible, Vincent said. From a metrics standpoint, Vincent said the company plans to focus on pipeline, the number of customers adopting the product, the frequency of log ins, and the number of use cases that are employing ThreatConnect Risk Quantifier.
Vincent hopes the Nehemiah transaction will take cyber risk quantification from something that talked about annually or quarterly to something that’s being looked at every day almost like a ticker.
“People are clamoring for this, and it’s going to be really exciting,” Vincent said.
As a practitioner, it can be hard to quantify whether or not the security organization is spending dollars in the right places, said Sean Kallaugher, chief technology officer at Medford, N.J.-based ThreatConnect partner Consortium Networks. Given that businesses don’t have unlimited funds and time, Kallaugher said it’s important to prioritize where they spend money to get the most bang for their buck.
Cyber risk quantification allows companies to translate security concepts into business terms by delineating how much it would cost an organization to buy down a certain amount of risk, Kallaugher said. Once the board has that information, Kallaugher said they can make an educated decision around how much money they wish to spend minimizing risk.
“This is a tool that’s going to help security and business teams speak the same language,” Kallaugher said. “It helps with that translation.”