May Edition 2021

‘Risk Based Security’s Mission Is to Provide Not Just Security, But the Right Security’: Jake Kouns, CEO and CISO of Risk Based Security


The cyberattack surface is growing year after year, so are the vulnerabilities. With so many vulnerabilities, organizations now find it hard to stay updated about them, analyze, and handle the risk. Headquartered in Richmond, Virginia, Risk Based Security is helping organizations cut the noise and focus on the threats and vulnerabilities that could impact their business. To bring this about, the company provides a blend of dedicated research and technical expertise, vulnerability intelligence, data breach analytics, cyber liability insurance experience, and real-world management experience to provide clients with meaningful and cost-effective security solutions.

When Risk Based Security (RBS) started in 2011, it took a new approach to manage software vulnerabilities and organizational risk. Its first product featured a comprehensive database covering all publicly reported data breaches and came to be known as Cyber Risk Analytics. The company enhanced that product with vendor risk ratings just as its software vulnerability product, VulnDB, started to take off. The combination of the two products has been widely embraced by the marketplace, and now RBS is recognized as a global leader in vulnerability intelligence, breach data, and risk ratings.

In an important interview with us, RBS’s CEO and CISO Jake Kouns explained to us the importance of focusing on specific vulnerabilities for businesses rather than trying to keep up with the ever-increasing number of vulnerabilities. He also exclusively told us about the company’s brand new Risk Based Security Platform. Read on to know more about the exciting new security platform.

Here are the excerpts from the interview:

Q. What is your mission as a security company? Tell us about your services in brief.

Risk Based Security’s mission is to provide not just security, but the right security. That means helping organizations prioritize their efforts against the threats and vulnerabilities that are most relevant or impactful to their business. To enable that, we offer the most comprehensive and timely vulnerability intelligence, breach data, and risk ratings available on the market. We provide actionable insights into the cybersecurity risks that an organization faces, including from vulnerabilities they probably do not know about.

VulnDB is the most comprehensive and timely vulnerability intelligence available and provides actionable information about the latest in security vulnerabilities. It is easy-to-use and is available via SaaS portal or a RESTful API, easily integrating into GRC tools and ticketing systems.

Meanwhile, Cyber Risk Analytics (CRA) provides actionable threat intelligence about organizations that have had a data breach or leaked credentials. This enables organizations to reduce exposure to the threats most likely to impact them and their vendor base.

We also provide organizations with on-demand access to high quality security and information risk management resources through our product YourCISO.

And now, we are really excited to preview the Risk Based Security Platform – a new best-in-class cyber security product that combines the most comprehensive and timely vulnerability intelligence, breach data and risk ratings, on a single pane. For the first time, security leaders can gain visibility into the overall security posture of their organization, including their supply chain, with advanced dashboards that draw attention to the latest vulnerability disclosures that apply to their environment and breach events impacting their vendors.

Q. What are the important factors that you address while designing and developing a security solution?

We have always insisted that what we offer to our clients are products and services that actually make a difference. We are not fans of the old flawed approaches to security that continue to be used, including disruptive legacy vulnerability scanning. Organizations deserve intelligence with the highest standards of quality, comprehensiveness and timeliness, to enable them to apply true risk-based security. We always keep the customer in mind as we continue to innovate and lead the security industry.

Specialized vulnerability and threat intelligence available on the market often comes with an expensive price tag.

Q. How do you maintain your affordability and profitability?

The vulnerability and threat intelligence that we offer is what should always have been available in the market. In our view, organizations just haven’t been aware that the data they have been provided by their current vendors is so incomplete, and how badly it is hurting them. In truth, no organization should have to compromise, or deal with bad cyber intelligence. At RBS, we recognize that organizations have many priorities to consider when it comes to protecting their information assets. We work collaboratively with our clients to ensure that Risk Based Security delivers the highest quality intelligence at an affordable price point. In fact, our approach of working closely with our customers has allowed us to service clients ranging in size from SMBs to global brands and critical infrastructure.

Q. Modern cyberattacks are equally automated. How do you help organizations to fight fire with fire?

Unfortunately, things aren’t getting better yet. That is one thing we have learned as we continue to study data breaches and the vulnerability landscape. Attackers are always on the lookout for new opportunities. Like any business, they want to maximize the return on their work too. With more vulnerabilities being reported every year, more opportunities for successful attacks are being created. Last year, we aggregated well over 23,000 vulnerabilities. There are way too many vulnerabilities being disclosed for organizations to be aware of, to analyze and then properly handle the risk. When we talk to new organizations, we learn that they continue to be stuck, spending too much time researching and vetting cyber security issues, rather than actually remediating the most important ones.

That’s where we come in. We do that work for them, and that’s why it is critical that we make sure that every entry we capture is comprehensive, timely and actionable. With real-time alerts, we make sure that organizations know exactly when there is an event or vulnerability that affects them, and that they have all the information they need to make a true risk-based decision to mitigate or remediate those risks.

Q. Internal inefficiencies in an organization undermine security analytics and operations. Do you help your clients patch their internal operations?

As we have said for over a decade, everything is vulnerable. And with everything being connected these days, security is at the core of every business and technology process. The Risk Based Security product suite enables organizations to empower all teams that need better data, whether that be vulnerability managers, IT security teams, procurement, or vendors in their supply chain that need to improve their security.

With our data, our clients can more effectively improve their security posture and efficiently coordinate remediation activity, saving time and money. The feedback we get from our clients confirms this.

Q. Bigger the network. Bigger the issue. Do you think your services are ready to cater the needs of never ending digital transformation?

Our intelligence scales with the largest of organizations. We never stop updating both our vulnerability and data breach intelligence. It is our goal to make sure that our clients always have the most timely and comprehensive data available, no matter what vendor or products they have implemented. We asre constantly adding additional coverage and we work specifically with our clients to ensure that we include the products and libraries that they have added or actively use in their organization, meeting their needs even as they transform and grow.

The Cybersecurity Visionary

Jake Kouns, CEO and CISO

Jake has been in the security industry in various roles for over twenty years. He started off in technical roles in network security, and became known as an expert in global firewall management and intrusion detection. That led him to finding his true passion of security intelligence and ultimately becoming a CISO, even including running a cyber-insurance product along the way. He eventually went on to co-found Risk Based Security in 2011.

He holds both a bachelor of business administration and master of business administration degree from James Madison University, with a concentration in information security. In addition, he holds a number of certifications, including: ISC2’s CISSP, and ISACA’s CISM, CISA and CGEIT.

In our view, organizations just haven’t been aware that the data they have been provided by their current vendors is so incomplete, and how badly it is hurting them.

“We work collaboratively with our clients to ensure that Risk Based Security delivers the highest quality intelligence at an affordable price point.”