# Opener

We Take Pride in Being a Leader in the CRQ Forrester Wave

Published by David White

It’s been an exciting journey to become a leader in the Forrester Wave: Cyber Risk Quantification Report

Today, it is a great honor to announce that Axio has been recognized as a Leader in The Forrester WaveTM: Cyber Risk Quantification, Q3 2023.

Two years ago, we had our very first conversation with Forrester research analysts about cyber risk quantification (CRQ). Security professionals have always had strong opinions on its usefulness and value in the market. Everybody runs cybersecurity programs differently. The common thread in the community has always been about alleviating the complexity and increasing the visibility of defense. The appeal to cyber risk quantification has always been the outcome of better spending your next dollar to stay secure.

Our track record and heritage set us apart in the CRQ space

Cyber risk quantification is just one of several core elements in our product. In addition to CRQ, our integrated software platform supports cybersecurity assessment, cybersecurity program planning, and insurance stress testing.

We have been delivering the value of CRQ to our clients since the founding of Axio, initially using spreadsheets and ultimately using our Axio360 software platform – the product evaluated in support of the Forrester report issued today. We wrote the textbook on cybersecurity resilience (CERT-RMM) before cyber resilience was even a talking point in the industry at large. Today, the world’s most popular risk assessment frameworks are based on their foundation, which we proudly support today in the Axio360 platform.

In those early days, we recognized the importance of CRQ in our work with critical infrastructure companies with both IT and OT cyber risk exposure. Axio CRQ enables our clients to gain enormous insight and value from even a single day of inquiry and analysis. It allows them to make sound decisions on priorities and investments to protect and sustain their most critical operations.

Our conversations with Forrester continued through 2021 as low-probability, high-impact cyber-attacks shook the world to its core. Many of the victims were in critical infrastructure, one of our domains of expertise. The White House responded with new initiatives, and board members and CEOs began to prioritize the importance of understanding cybersecurity in non-technical terms. This is where Axio360’s CRQ solution got to shine.

We had the opportunity to showcase how our product works to model the same cyber threat scenarios on everyone’s minds. We believe nobody can do it faster with more transparency and ease.

Forrester’s recognition fills us with immense validation of our heritage and reinforces our commitment to our unified vision of risk management, usability, and community building.

If you are looking for a CRQ solution, you have come to the right place. Join us as we delve into the reasons why we are different.

We never wanted to be like FAIR 

Unlike many in the CRQ community, we don’t use the FAIR methodology or the OpenFAIR derivative. While we applaud what FAIR has done to popularize CRQ, we believe the method is overly focused on probability estimation at the expense of a sufficient understanding of impact.

That said, there’s room in the market for more than one method. The most important consideration of any CRQ methodology is that it be one that you use — one that you can effectively adopt as part of your organization’s routine process.

Axio’s CRQ methodology is an extension to the Octave Methodologies developed at Carnegie Mellon University – my alma mater and former employer. Note that Axio received a 5 out of 5 score from Forrester in the methodology criterion.

We care about the impact first

Axio CRQ, like any risk analysis method, addresses both probability and impact, but we take a very focused look at the impact in all its forms. We all know that we will never drive cyber event probability to zero. And as long as the probability is non-zero, an organization must endure the impact to survive. An organization’s resilience is ultimately determined by its ability to endure the impact, not guess the probability. So, organizations must understand the impact in detail.

After all, how can you truly respond to or prepare for risk without understanding the potential impact in enough detail to inform your plans?

Our belief in usable security stems from our customer-first vision

Axio’s mission is simple: to be the easiest and most defensible CRQ (Cybersecurity Risk Quantification) product on the market. We have built Axio360 with a user-first approach, making our platform accessible and user-friendly to all. We understand that not everyone has specialized expertise or years of training in statistics or scenario modeling, so we have designed our methodology to be intuitive and straightforward. We know that you, our customer, know more about your unique technology dependencies and risk exposures than we do. You and your colleagues are the experts, we’re just the guides. We bring our methodology and software coupled with a passionate curiosity about your unique risks and a deep commitment to your success.

And as the Forrester report noted, “Axio is a good fit for organizations that leverage a control-based approach in their risk management program, including those in utilities, oil and gas, and the public sector.” We think that’s spot-on, and probably the reason we work with so many organizations in those sectors.

Stakeholder-agnostic communication: effortless and flexible

Effective communication is at the heart of any successful cybersecurity program, and Axio, excel in partnering with security teams to aid in some of their most difficult conversations. Our platform enables seamless communication regardless of the audience’s cybersecurity expertise or organizational level. Whether presenting to executives, technical teams, or external stakeholders, our reporting features provide transparent and comprehensive insights. We believe in a stakeholder-agnostic approach, ensuring that the value and progress of security/risk improvements are effectively conveyed and understood by all.

As one user of another methodology remarked in a demo with us, “Wait, you’ve created CRQ for the masses. I no longer need to send my C-suite back to school to get statistics degrees!”

The community we build will only continue to grow: we deeply appreciate our customers

At Axio, we’ve assembled a team of risk experts that share a passion for protecting critical infrastructure and extensive experience with both IT and OT risk to help you succeed on your CRQ journey. But knowledge goes two ways. Along the way, we’ve enjoyed deep and privileged relationships with many customers, some of whom have been with us since those earliest days. The recognition of Axio as a leader in Cyber Risk Quantification in the Forrester Wave is a validating milestone for us on our journey. If you are a customer, know that we stand on your shoulders. Thank you. Thank you for trusting us. Thank you for granting us the privilege to work with you. Thank you for sticking with us. And thank you for all that you do to protect our critical infrastructure – and our way of life. We deeply appreciate you being on this journey with us.

For those of you who aren’t customers, know that we also appreciate all that you do to protect your organization from cyber harm, and we hope that you too will ultimately become part of the Axio community.

Once again, we’d like to thank Forrester for recognizing the importance of cyber risk quantification and providing the expert resources to conduct the analysis and produce the Forrester Wave. Thank you for including us and for all that you do to help organizations make good decisions.

Download the Forrester Wave Cyber Risk Quantification Report.