CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Q&A: How a simple, new tool will assess your risk and why that's important

Organizations widely vary in shape, size and mission, whether they're a mom-and-pop sandwich shop, a midsize law firm or a multibillion dollar global bank - or anything in between. But organizations are the same in a lot of ways, too, especially when it comes to the ongoing security threats they face.

Common areas of security weakness scale across the business world. A vulnerable website at a Fortune 500 really isn't much different than a buggy site at a bed-and-breakfast. Put another way, the bad guys don't discriminate. If you've got weak points, they will make you pay.

Where businesses can distinguish and differentiate themselves from one another, however, is through their risk maturity level.  Our new custom tool, known as the Trustwave Risk Maturity Assessment, which we're officially announcing today, enables security executives to measure, understand and visualize their security risk posture across the organization. It also offers suggestions for rectifying any deficiencies. And eventually, as more people take the assessment, benchmarks will emerge by which organizations can compare their risk stance against others in their industry.

How efficient at data protection is your organization? Are you putting your resources to the right places? Where are you lacking? Can you handle security on your own, or would you be better off with some help? It's better for you to find out all of this first - before the attackers do. 

We sat down with Doug Klotnia, Trustwave general manager of Compliance & Risk Management, to learn more about the value of this unique tool.

Doug Klotnia2.jpgQ: Hi Doug. For starters, why is assessing, identifying and mitigating one's risk important?

I'll ask a question back to that: How willing are you to roll the dice with your company's critical assets, whether that be customer information, intellectual property, or some other sensitive data? Probably not very much, so that's why reducing your risk profile to an acceptable level should be paramount to the security group's mission. Companies that aren't ready to handle unexpected security events may find themselves on the front page of The Wall Street Journal, beneath a headline that includes the word "breached."

Q: Considering how common breaches are and how numerous and advanced security threats are, what kind of company wouldn't be evaluating their risk?

You'd be surprised. Most organizations accept risks because they don't understand them. In addition, they rely on the flawed belief that nothing bad will happen to them, or that their existing security solutions - which often are too perimeter-focused or even sitting on the shelves because they're so complex to manage - will save them. And in the off-chance that something does go wrong, they assume they'll be able to react to it.

But that's the wrong mindset. Risk management is all about being proactive by considering all of one's susceptibility to threats, and figuring out the most efficient and effective ways to deal with them.

Q: So tell us how the Trustwave Risk Maturity Assessment works?

We know security executives are busy. That's why we've created a multiple-choice assessment that spans fewer than 30 questions. It shouldn't take more than eight minutes to complete. By comparison, it usually takes me longer than that to buy a coffee in the morning.

While the assessment won't take you much time to complete, we believe it covers most, if not all, of the security risk factors you should be thinking about and provides a 360-degree view of your technical controls, policy/procedure, management/governance, physical security, maintenance and strategy. The questions in the evaluation range from: "Does your organization hold regular security planning meetings" to "How often does your organization perform penetration testing on 'mission critical' systems?" to "Does your organization encrypt its stored sensitive data?"

Q: How do the test takers know if they've entered the right answers?

I like to think there are no wrong answers because nobody's perfect. Our goal is to help you improve. Based on your responses to the questions, you'll immediately get from us a one-page summary of your risk profile and suggested best practices. A few days later, we'll send you a more detailed report that will provide comprehensive recommendations based on Trustwave's best-in-class experience working with customers of all sizes, including many that have experienced data breaches. In addition, the report will chronicle how well your security risk maturity stacks up against other businesses in your vertical. Then, if you'd like, we can set you up with a trusted advisor, who can help you dive deeper into areas you want to fix.

Q: Aside from knowing where one's security shortfalls are, what else can this report help with?

In my experience interacting with senior security professionals, I've learned that one of their persistent pain points is connecting with the C-level suite and obtaining the buy-in and financial support they require to prepare for and respond to today's threats. The Trustwave Risk Maturity Assessment will detail your areas of success and those in need of improvement in easy-to-understand terms that can be easily and seamlessly conveyed to non-technical leadership.  

Q: Anything else you'd like to add, Doug?

Just one thing: Oftentimes organizations clump their IT risk assessments together and don't conduct security-specific evaluations. Failing to separate security risk from general IT risk is a recipe for failure. This tool is a great step to avoid that mistake.

Latest Trustwave Blogs

Trustwave, Telarus Announce Strategic Global Partnership

Trustwave is partnering with Telarus, a leading technology services distributor (TSD), which will allow it to leverage Trustwave’s comprehensive offensive and defensive cybersecurity portfolio and...

Read More

Unlocking the Power of Offensive Security: Trustwave's Proactive Approach to Cyber Defense

Clients often conflate Offensive Security with penetration testing, yet they serve distinct purposes within cybersecurity. Offensive Security is a broad term encompassing strategies to protect...

Read More

Behind the Scenes of the Change Healthcare Ransomware Attack Cyber Gang Dispute

Editor’s Note – The situation with the Change Healthcare cyberattack is changing frequently. The information in this blog is current as of April 16. We will update the blog as needed. April 16, 2024:...

Read More