Safe Security Buys Cyber Risk Quantification Vendor RiskLens

Boards and senior-level executives are asking questions about risk every day, but the job of answering those questions can be difficult, since data is often spread between risk management and security teams.

See Also: Live Webinar | Reclaim Control over Your Secrets – The Secret Sauce to Secrets Security

Safe Security says it will help clients improve the visibility, management and communication of risk across the enterprise through its purchase of RiskLens, the creators of the industry’s only open standard for cyber risk quantification.

The Silicon Valley-based risk management vendor said its buy of Spokane, Washington-based RiskLens will help CISOs answer fundamental questions about risk from the C-suite, board members or regulators without having to talk about products or compliance, said co-founder and CEO Saket Modi. The deal will allow RiskLens to move from point-in-time to continuous assessments through Safe Security’s automation (see: Safe Security Raises $50M to Bring ML to Risk Quantification).

“We don’t know any other platform which is able to deliver this kind of value,” Modi told Information Security Media Group. “This creates a superpower and absolute category killer when it comes to cybersecurity risk quantification and the broader risk management market.”

The Perks of an Open Standard

RiskLens, founded in 2011, employs 50 people and raised $26.8 million in three rounds of outside funding. Most of the company’s employees have joined Safe Security, and CEO Nick Sanna is now president of the combined organization. Terms of the acquisition, which closed this week, weren’t disclosed. The deal comes three months after Safe Security closed a $50 million Series B funding round.

“Today, the risk management teams have their own assessment process, and the security operations teams have their own assessment process,” Sanna said. “There is no one single source of truth where people who need to measure risk and people who need to act upon risk are working off the same set of data.”

RiskLens’ Factor Analysis of Information Risk standard will be embedded into the Safe Security platform over the next nine to 12 months to provide more granular controls around risk quantification, Modi said. This means Safe Security customers will be moving from a proprietary standard that’s opaque to security practitioners to a transparent, open standard backed by more than 15,000 people (see: Why We Need a Holistic Risk-Based Approach to Cybersecurity).

“No matter how accurate or how great a model is, I cannot trust it if I can’t see the model,” Modi said.

Bringing Customization to Risk Simulation

Safe Security today offers customers a very limited number of risk scenarios since everything maps to MITRE ATT&CK techniques and is hard-coded from an automation perspective. But once FAIR is embedded into Safe Security, Modi said, organizations will be able to create customized risk scenarios that are tailored to their environment and more relevant to their business.

“We always were chasing the same things, but it was more fragmented,” Modi said. “And the moment you put things together, the sum total is much greater than the individual parts.”

The integration with Safe Security will give existing RiskLens customers real-time risk monitoring, which Sanna said would have taken years for the company to build on its own. The RiskLens platform will be retired and customers will transition to Safe Security technology once the integration work is complete in approximately a year, according to Sanna.

“This creates a superpower and absolute category killer.”


– Saket Modi, co-founder and CEO, Safe Security

From a metrics perspective, Modi expects the RiskLens technology will allow Safe Security to maintain annual growth rates of between 150% and 200% for the next several years. Safe Security will also track customer satisfaction and net retention rates to measure how much value the organization is delivering, with the hope customers will pay more for bringing the FAIR methodology, automation and AI together.

“We want to become the McKinsey of cybersecurity, where CISOs can rely on the output that comes from us,” Modi said. “With this acquisition and this partnership, we’re on the way to doing that.”