KPMG Outpaces ThreatConnect in Latest Cyber Risk Ranking by Forrester
In the latest Forrester Wave report on cyber risk quantification (CRQ), Safe Security and Axio have successfully maintained their dominance, whereas KPMG has climbed onto the leaderboard and ThreatConnect has experienced a significant drop. This shift underscores the rapidly evolving landscape of cybersecurity and the pressing need for advanced methodologies in risk quantification.
According to Forrester Senior Analyst Cody Scott, the CRQ tools of today have evolved beyond basic risk modeling, incorporating automation that simplifies the generation of recommendations, trend analyses, and insights across various systems. Modern CRQ platforms no longer rely solely on manual data input; instead, they automatically devise remediation strategies and provide cross-functional orchestration. Scott emphasizes that in 2023, features once considered "nice-to-have" have now become standard in the field.
Scott also noted a notable trend: many organizations are beginning to replace traditional Governance, Risk, and Compliance (GRC) tools with CRQ solutions. Traditional GRC outputs are often compliance-focused and do not adequately support strategic decision-making. In contrast, CRQ tools deliver real-time analytics, automated risk monitoring, and actionable decision-making grounded in quantifiable financial impact. This shift is crucial as businesses seek to make informed investments in their cybersecurity posture.
The effectiveness of CRQ tools becomes evident in their approach to third-party risk management. Traditional methods often rely on vague and subjective vendor ratings, while CRQ tools employ quantifiable financial models to evaluate potential losses more effectively. This objective assessment has garnered attention within the cyber insurance sector, which is shifting towards scenario-based evaluations for underwriting purposes.
The differentiation among leading CRQ solutions is marked by their ability to integrate advanced technologies such as generative AI. These innovations assist analysts in conducting more intuitive assessments and navigating complex risk scenarios. Companies like Axio and KPMG exemplify this trend, focusing on user-friendly interfaces that facilitate communication with both technical and non-technical stakeholders, addressing a broad spectrum of use cases, from cyber insurance to AI governance.
Looking ahead to 2027, Scott envisions a future where CRQ functionalities—specifically the modeling and quantification of cyber risk—become fully automated. This transition will eliminate the need for manual estimations of potential losses, with AI agents providing on-demand risk assessments informed by real-time data and organizational specifics. This evolution represents a significant pivot in how businesses will approach risk management.
Forrester’s latest analysis ranked Safe Security first in strategy and KPMG second, showcasing the latter’s rise from sixth place in 2023. However, the distinction in offerings also saw Safe improve to the top, while KPMG and Axio followed closely behind. This dynamic highlights the competitive nature of the CRQ landscape and its ongoing development.
In summary, Safe Security’s focus on automating data intake and utilizing advanced AI technologies positions it favorably in the market. Conversely, Axio redefined its onboarding process for CRQ, allowing users to engage with the platform swiftly, empowering them with actionable insights from the outset. Meanwhile, KPMG’s emphasis on refining its onboarding experience and enhancing integrations indicates its commitment to addressing evolving client needs.
As businesses navigate this shifting environment, understanding the tactics and techniques outlined in the MITRE ATT&CK Framework will be pivotal for developing a robust cybersecurity posture. Emphasizing initial access, persistence, privilege escalation, and other critical tactics will enable organizations to bolster their defenses against increasingly sophisticated cyber threats.
