Safe Security CEO On Shaking Up Third-Party Risk Quantification With New Tool

The new module quantifies the risk of ransomware and data exfiltration for third-party vendors, while combining the signals with first-party and SaaS risk, Safe Security CEO Saket Modi tells CRN.

Safe Security is taking a new approach to quantifying third-party cyber risk with the debut of a new tool that represents a “massive” opportunity for channel partners, according to the company’s CEO.

Saket Modi, co-founder and CEO of Safe Security, told CRN exclusively that the company’s new Safe TPRM (third-party risk management) module will stand out by quantifying the risk of specific threats — such as ransomware and data exfiltration — for third-party vendors in an “actionable” manner. For instance, Safe TPRM will provide an actual risk measured in dollars of ransomware occurring at a certain third party, Modi said.

“We actually quantify the risk in a way the business can understand it,” he said.

On top of offering improved third-party risk management compared to existing vendors in the space, Safe Security will also combine the third-party signals with the data on first-party and SaaS risk that the company has already offered, according to Modi.

As a result, “in one dashboard you can get your first party, your third-party and your SaaS applications [risk] all converged into one,” he said.

Notably, Safe Security is bringing a “channel-first” approach to sales with 95 percent of deals through partners, Modi said — and the new offering presents the channel with a major opportunity. Offering this type of risk quantification approach is “the dream of every channel,” he said, which is “to manage your first-party and third-party risks together in one platform.”

Initially founded in 2012 (as Lucideus) to offer services around penetration testing and vulnerability assessment, the company shifted into becoming a vendor with the launch of its first product in 2020. Investors include former Cisco Systems CEO John Chambers, who provided seed funding to Safe Security and has remained actively involved with advising the company, Modi said. Safe Security has raised about $100 million in total.

In mid-2023, Safe Security acquired cyber risk quantification vendor RiskLens, whose FAIR (Factor Analysis of Information Risk) standard is now leveraged on the Safe One platform.

What follows is an edited and condensed portion of CRN’s interview with Modi.

What’s the big problem Safe Security is aiming to address in cyber defense?

There are so many cybersecurity products that a company has today. But if you think about finance, there is a product like an Oracle NetSuite or SAP, which is your ERP, which is what every CFO goes to for decision making. That's where all the feeds come in, and they get one central view of things. It’s exactly the same thing for a sales leader, you’ve got the Salesforce, where you get all the data together and then you're seeing the sales forecast. But which product [does that] for cybersecurity? It doesn't exist. The closest would be a SIEM or a SOC. But that's only reactive. That's looking at your logs and converting that into incidents. It is not actually telling you what your cyber risk is. SIEM and SOC is like looking at the rearview mirror and driving the car, because you're only finding out [about] an incident after it has occurred, not before.

How can we marry all these together — the signals together — and make sense out of them? Our customers include the biggest names you can think of — Facebook, Netflix, Dropbox, ADP, Chevron, Victoria's Secret, GSK, Novartis. What we do for them is exactly that. When we go to an ADP or a Chevron, we integrate their existing cyber telemetry and enable faster and more confident data-driven decision making and give them visibility of risk in a business context. And the business context means — for ransomware, data exfiltration — what is the likelihood of that? What is the loss magnitude? So if ransomware does occur, you're looking at a loss magnitude of $200 million [for instance]. We actually quantify the risk in a way the business can understand it.

What’s the ultimate potential for Safe Security as a platform?

We will become the ERP of cybersecurity. We will become the CRM of cybersecurity. Because it doesn't exist today. Palo Alto Networks, Zscaler — everybody talks about becoming a platform. What platform? Because it is still just doing detection. Palo Alto Networks, Zscaler, CrowdStrike, Fortinet [are] doing detection. You need a non-detection vendor. We don't deploy agents. We just suck in the telemetry from existing security platforms and your compliance [systems]. So we can upload your SOC 2, NIST, DORA. We can put all of that together. And then we give you a risk posture, which changes in real time. The reason it changes in real time is because, if anything changes internally or externally, your likelihood of ransomware will change.

Where are you looking to go next with the product?

This year at RSA, we're bringing this concept into third-party risk. We are calling it the “cyber risk singularity.” The reason why we say cyber risk singularity is because a CISO or a CIO wants to know the risk of data exfiltration — it doesn't matter whether the data exfiltration happens in your own cloud, in your own data center or your third-party vendor or your SaaS vendor. What matters is, just tell me the risk of data exfiltration. Today, there is no way by which you can get to one view of data exfiltration risk, ransomware risk, DDoS risk, cryptomining risk, wiper risk. So there are these risk scenarios that you can talk about. And there's no way in one dashboard you can get your first party, your third-party and your SaaS applications all converged into one. The risk is the same — it's the same data which is going everywhere. That is the exact problem yourself. Our mission is to make every company in the world achieve cyber risk singularity.

How significant of an opportunity do you see for Safe Security here?

This a very, very big deal. When I was talking to John Chambers, the first time I pitched this idea a year back, and we spoke about the approach on third-party risk — his parallel analogy is that this is like how we went from routers to switches. This is the moment when CrowdStrike took on Symantec and McAfee — which were on-prem, antivirus [tools] — with a fundamentally new architecture and output. And CrowdStrike changed the game. The rest is history. That's exactly what we're doing to third-party risk management. We are not 10 percent better, we are 10 times better.

Tell me a bit more about how John Chambers has been involved since becoming an investor?

More than the money, the more important thing is, he spends almost an hour with me on a weekly basis [and has done that] for the last six years. He's very closely involved in the business. I would say that Cisco was one of the first companies on the planet to crack the channels model in the right way, in a way which was a win-win. The reason why Cisco grew was channels, and John was obviously a big proponent of that.

What’s the opportunity with your new offering for channel partners?

There is a massive channels play [with Safe TPRM]. This is a game changer for channels. Because this was the dream of every channel where [partners can] manage your first-party and third-party risks together in one platform, and do managed services for that. My go-to-market here is not direct sales. Here I know I need to be channel-first.

What’s the advantage of your new approach over existing approaches?

In a broad sense, there are two types of third-party risk management vendors. There is a vendor which is more continuous and outside-in like BitSight, Security Scorecard, Upguard, Risk Recon. There's a host of companies like that, but they're only outside-in. Then there are these questionnaire-based assessments which are OneTrust, Prevalent, ProcessUnity. There's a host of companies [that offer] the workflow automation for questionnaires. What is the output from both of them? Security Scorecard and BitSight give you a score. A score of A, B, C, D or F is what Security Scorecard gives you. BitSight gives you a score between 300 and 700. What does that mean? What is the meaning of a score of 600? Is it against Russia? Is it for ransomware? Is it for data exfiltration? Is it for DDoS? Or is it all of the above? It cannot be all of the above. What we do, on the contrary, is actually tell you the breach likelihood from the top risk scenarios — like ransomware, like data exfiltration.

I was talking to the CTO of one of the top three retailers in the U.S., which is a customer of ours. And he says, “If I'm giving all my data to a third-party vendor who has a 90-percent chance of data exfiltration, I will stop working with them today.” Security Scorecard tells me that it's a C or a B, which doesn't mean anything. It's not actionable. What is the meaning of a C or a B? It just doesn't make sense.

On the other side, the questionnaire-based assessment, they tell you compliance. They tell you, “Yes, this third-party vendor is SOC 2 compliant or ISO compliant.” These are totally disjointed. They're totally disconnected. There's a company we're working with that is among the top three pharmaceutical companies in the world and they have 60,000 third parties. Now imagine being able to put 60,000 third parties in, and figure out which are the 10 most-risky third parties for data exfiltration. And by the way, that's a different list than the 10 [riskiest] third parties because of outage. It's a completely different list. One difference is [quantifying] the likelihood of a scenario.

The second thing which will take the game to a whole new level [is that] we also talk about the loss magnitude to you. Today, the tiering of third parties happens purely based on the contract size. But today that startup, which is a small vendor, they're taking all your customer data. If that gets [stolen], you are really screwed. We actually quantify the dollars — that if that third-party gets attacked, how much will it cost you?

This is what everybody wants. So this retail CTO says, “If you can give this view, I will put a threshold of data exfiltration risk for every vendor I'm exposing my data to. And if it's more than 40 percent, I don't want to talk to them. I don't care what business they give me.” That is an actionability which was never possible in the past.

How would you summarize what Safe Security is doing and what you’re aiming to accomplish with channel partners?

In summary, this is a fundamentally different approach. And what we're going towards is, this is a channels play. We already have multiple channel people and we are expanding that team. This is where, again, John Chambers comes in and the whole channel playbook that he brings in. So channels is massive for us. We are a channel-first company already. We fulfill more than 95 percent of our deals through channels. We work with a ton of good [partners] already — Cyderes, GuidePoint. But what I’m talking about is, how do we go to the next level? There are so many incredible [partners to work with]. And this is a hot, brand-new, AI-enabled technology that people should be excited about.