Simon Marvell, Acuity: “there is a widespread misunderstanding of risk”

The rapid acceleration in the development of new cyber threats has encouraged companies to employ the necessary security measures quicker than ever before. Yet, not all available cybersecurity tools are equally effective.

Some might be useful to generate secure passwords, others to identify and locate existing threats on the system, and some being capable of detecting an attempted attack before it actually happens. So, it’s vital to evaluate the chosen security solutions before introducing new technologies.

We’ve reached out to Simon Marvell, the CEO at Acuity, to discuss the latest cyber threats, effective risk management solutions, and how the pandemic has affected the overall landscape of cybersecurity.

Tell us about your journey throughout the years. How did the idea of Acuity originate?

Before Acuity, I was a Co-Founder of a risk management and cybersecurity consulting firm, Insight Consulting, which we built and sold to Siemens PLC in 2004. From our experience at Insight, we knew that there was a gap in the market for an enterprise software solution with a strong risk management capability. My Co-Founder at Acuity, Richard Mayall, and I decided to address this opportunity.

Can you introduce us to your STREAM platform? What are its key features?

With Acuity’s STREAM Integrated Risk Manager platform, SaaS or on-premise, customers get an always-on clear line of sight into the cyber, IT, and operational risks facing their businesses. Then, they can build resiliency, comply with regulations and embrace digital transformation.

STREAM brings together the data, analytics, functionality, and reporting to provide the 360° contextual visibility that CISOs need. So that they could stand any chance of managing the huge and rapidly evolving problem of cybersecurity and digital risk.

Key capabilities of STREAM include:

  • Quantification of risk in financial terms and comparison against management’s tolerance for risk
  • Automatic, real-time update of the risk calculation when the performance of key controls changes, vulnerabilities emerge, threats are identified, or new incidents arise
  • Customizable web forms for capturing data on the performance of critical controls, incidents, issues, and other events from third parties
  • APIs for integration with data sources, such as security rating solutions for data on threats and vulnerabilities
  • Action prioritization and orchestration to bring risk within tolerance based on the financial return on investment
  • At-a-glance management dashboarding and reporting

Which industries should be especially concerned with implementing proper risk management solutions?

All industries, but in particular those that comprise the critical national infrastructure. For example chemicals, civil nuclear, communications, defense, emergency services, energy, finance, food, government, health, space, transport, and water.

Have you noticed any new threats emerge during the COVID-19 pandemic?

The rapid move to working from home introduced new risks for the many organizations that didn’t already have the policies, processes, and infrastructure in place – both within organizations and at third parties.

The digital transformation – which was growing rapidly – has accelerated during the pandemic, and there is a danger that digital products and services are being introduced quickly without sufficient attention being paid to the risks.

Why do you think certain companies might not be aware of the security risks they are exposed to?

There is a widespread misunderstanding of risk. For example, third-party risk management programs that rely on asking for evidence of policies and controls in onboarding questionnaires are not actually managing risk. At best, these provide some assurance about the maturity and integrity of the third party but very little about the genuine risk to the business from engaging with those third parties.

Likely, there will be many more serious security breaches via third parties since organizations are no longer easily defined with clear boundaries. Instead, they are regarded as an extended web of vendors, suppliers, partners, agents, consultants, contractors, and other third parties – all relying upon digital products and services.

Besides quality risk management systems, what other security measures should be a part of every modern company?

Risk management enables targeting of the correct security measures, so it depends on individual circumstances. An Information Security Management System (ISMS) will put in place the policies, controls, change management, incident management, auditing, review, monitoring, and other processes – even better if externally certified.

Vulnerability management, regular penetration testing, and multi-factor authentication continue to be important technical measures. We can’t avoid risk altogether, so resilience, business continuity, and incident response are important as well.

What dangers can customers be exposed to if a company they trust fails to ensure compliance?

Only a small number of third parties will present a material risk. For example, where a security breach could have a material impact on the achievement of business objectives. If one of these third parties struggles to provide adequate security then there is a serious problem. Most security failures result in financial damage of some kind, often several years later, where the impact from reputational damage works its way through. So, ultimately, additional unplanned costs and underperformance against revenue and profit targets.

In your opinion, what kind of attacks are we going to see more of in 2022? What can average internet users do to protect themselves?

Attacks via third parties, such as phishing, malware, ransomware, etc. Internet users need to be educated and remain alert to more sophisticated ways of trying to trick us. Also, supply chain disruption, both digital and physical.

Tell us, what’s next for Acuity?

We continue to grow rapidly and expect to open a US office in the next 12 months to support and develop the customer base that we already have over there. We will continue to invest heavily in R&D for our STREAM platform with Artificial Intelligence, providing some very exciting future opportunities.