The Data Behind “It’s Not If…But When” by Ryan Dodd

We’ve all heard the phrase, “It’s not a matter of IF a cyber attack will happen, but WHEN it will happen.” It’s as ubiquitous as that famous one word imparted to a young Dustin Hoffman in the movie, The Graduate – “plastics.” Taking this logic a step further, it’s prudent to continue, “HAS a cyber attack already happened?” The data tells us that most companies can’t say for sure. (What data, you ask? I’ll get to that in a minute.)

In fact, the number of companies that have publicly announced they have fallen victim to a cyber attack is only a small sample size compared to the actual number of attacks. There are essentially three categories of companies that have experienced a cyber attack:

  • Companies that don’t even realize they’ve been hacked;
  • Companies that can confirm a breach, but are not required to disclose it; and
  • Companies that are subject to fines and public disclosures – the only form of “transparency” that has historically existed in cybersecurity.

Enter Verodin and Cyberhedge data. For the first time, there is actual data to support the premise, “It’s not if…but when,” and perhaps more importantly, “Has it already happened?” Verodin provides companies with important proof points to pinpoint and better manage areas of cyber risk, while Cyberhedge models quantify this cyber risk in financial terms – all before a hack occurs. This unique combination of data empowers CISOs with metrics and transparency around security effectiveness, and CFOs with metrics and transparency around the associated financial/operational impact of a breach or attack, as well as the value of their cybersecurity investments. In this sense, it allows companies to measure cyber risk as they measure any other systemic risk – in real dollars.

All hacks are not created equal. Beyond the binary question of if a hack has occurred, quantifying cyber risk enables companies to answer the more complicated question of its impact. For example, the type of attack that would have the greatest financial and customer confidence impact for a retail home goods company is different than the type of attack that would create the same level of impact for a healthcare institution. Furthermore, a hack targeting customer data, while disruptive for customers, has a relatively finite scope of operational disruption. Conversely, a malware or ransomware attack targeting essential operations has the potential for much farther-reaching and longer-lasting impacts. And, these attacks are on the rise. According to a report from Malwarebytes, malware attacks against businesses has increased by more than 300 percent since Q1 of 2018.

So, the next time someone tells you, “It’s not if…but when,” you might want to ask if they have the cyber risk data to back it up.

Without the data, it’s just another industry catchphrase.

I’ll join Verodin CISO Brian Contos to discuss this and other issues in a webinar on December 19, 2019 at 10am PT / 1pm ET. Don’t miss it!

Register here.

About Ryan Dodd

Ryan is Founder and CEO of Cyberhedge, a company that applies his 20 years of experience in real-world financial modeling and risk management to provide instant pricing of cyber risk in financial terms for over 5,000 corporations. Cyberhedge works with ratings agencies, institutional investors and cyber security providers to help cyber teams better communicate with the C-Suite and Board of Directors. For more, visit

*** This is a Security Bloggers Network syndicated blog from Verodin Blog authored by Verodin Blog. Read the original post at: