Organizations widely vary in shape, size and mission, whether they're a mom-and-pop sandwich shop, a midsize law firm or a multibillion dollar global bank - or anything in between. But organizations are the same in a lot of ways, too, especially when it comes to the ongoing security threats they face.
Common areas of security weakness scale across the business world. A vulnerable website at a Fortune 500 really isn't much different than a buggy site at a bed-and-breakfast. Put another way, the bad guys don't discriminate. If you've got weak points, they will make you pay.
Where businesses can distinguish and differentiate themselves from one another, however, is through their risk maturity level. Our new custom tool, known as the Trustwave Risk Maturity Assessment, which we're officially announcing today, enables security executives to measure, understand and visualize their security risk posture across the organization. It also offers suggestions for rectifying any deficiencies. And eventually, as more people take the assessment, benchmarks will emerge by which organizations can compare their risk stance against others in their industry.
How efficient at data protection is your organization? Are you putting your resources to the right places? Where are you lacking? Can you handle security on your own, or would you be better off with some help? It's better for you to find out all of this first - before the attackers do.
We sat down with Doug Klotnia, Trustwave general manager of Compliance & Risk Management, to learn more about the value of this unique tool.
Q: Hi Doug. For starters, why is assessing, identifying and mitigating one's risk important?
I'll ask a question back to that: How willing are you to roll the dice with your company's critical assets, whether that be customer information, intellectual property, or some other sensitive data? Probably not very much, so that's why reducing your risk profile to an acceptable level should be paramount to the security group's mission. Companies that aren't ready to handle unexpected security events may find themselves on the front page of The Wall Street Journal, beneath a headline that includes the word "breached."
Q: Considering how common breaches are and how numerous and advanced security threats are, what kind of company wouldn't be evaluating their risk?
You'd be surprised. Most organizations accept risks because they don't understand them. In addition, they rely on the flawed belief that nothing bad will happen to them, or that their existing security solutions - which often are too perimeter-focused or even sitting on the shelves because they're so complex to manage - will save them. And in the off-chance that something does go wrong, they assume they'll be able to react to it.
But that's the wrong mindset. Risk management is all about being proactive by considering all of one's susceptibility to threats, and figuring out the most efficient and effective ways to deal with them.
Q: So tell us how the Trustwave Risk Maturity Assessment works?
We know security executives are busy. That's why we've created a multiple-choice assessment that spans fewer than 30 questions. It shouldn't take more than eight minutes to complete. By comparison, it usually takes me longer than that to buy a coffee in the morning.
While the assessment won't take you much time to complete, we believe it covers most, if not all, of the security risk factors you should be thinking about and provides a 360-degree view of your technical controls, policy/procedure, management/governance, physical security, maintenance and strategy. The questions in the evaluation range from: "Does your organization hold regular security planning meetings" to "How often does your organization perform penetration testing on 'mission critical' systems?" to "Does your organization encrypt its stored sensitive data?"
Q: How do the test takers know if they've entered the right answers?
I like to think there are no wrong answers because nobody's perfect. Our goal is to help you improve. Based on your responses to the questions, you'll immediately get from us a one-page summary of your risk profile and suggested best practices. A few days later, we'll send you a more detailed report that will provide comprehensive recommendations based on Trustwave's best-in-class experience working with customers of all sizes, including many that have experienced data breaches. In addition, the report will chronicle how well your security risk maturity stacks up against other businesses in your vertical. Then, if you'd like, we can set you up with a trusted advisor, who can help you dive deeper into areas you want to fix.
Q: Aside from knowing where one's security shortfalls are, what else can this report help with?
In my experience interacting with senior security professionals, I've learned that one of their persistent pain points is connecting with the C-level suite and obtaining the buy-in and financial support they require to prepare for and respond to today's threats. The Trustwave Risk Maturity Assessment will detail your areas of success and those in need of improvement in easy-to-understand terms that can be easily and seamlessly conveyed to non-technical leadership.
Q: Anything else you'd like to add, Doug?
Just one thing: Oftentimes organizations clump their IT risk assessments together and don't conduct security-specific evaluations. Failing to separate security risk from general IT risk is a recipe for failure. This tool is a great step to avoid that mistake.